Result Details
Install AIDExccdf_org.ssgproject.content_rule_package_aide_installed mediumCCE-90843-4
Install AIDE
| Rule ID | xccdf_org.ssgproject.content_rule_package_aide_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_aide_installed:def:1 |
| Time | 2025-09-21T20:22:51-05:00 |
| Severity | medium |
| Identifiers: | CCE-90843-4 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9 | | cjis | 5.10.1.3 | | cobit5 | APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06 | | isa-62443-2009 | 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4 | | isa-62443-2013 | SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6 | | ism | 1034, 1288, 1341, 1417 | | iso27001-2013 | A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3 | | nist | CM-6(a) | | nist-csf | DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3 | | pcidss | Req-11.5 | | os-srg | SRG-OS-000445-GPOS-00199 | | anssi | R76, R79 | | cis | 6.1.1 | | pcidss4 | 11.5.2 | | stigid | RHEL-09-651010 | | stigref | SV-258134r1045265_rule |
|
| Description | The aide package can be installed with the following command:
$ sudo dnf install aide
|
| Rationale | The AIDE package must be installed if it is to be available for integrity checking. |
|
|
|
|
|
|
|
OVAL test results detailspackage aide is installed
oval:ssg-test_package_aide_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_aide_installed:obj:1 of type
rpminfo_object
Build and Test AIDE Databasexccdf_org.ssgproject.content_rule_aide_build_database mediumCCE-83438-2
Build and Test AIDE Database
| Rule ID | xccdf_org.ssgproject.content_rule_aide_build_database |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-aide_build_database:def:1 |
| Time | 2025-09-21T20:22:51-05:00 |
| Severity | medium |
| Identifiers: | CCE-83438-2 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9 | | cjis | 5.10.1.3 | | cobit5 | APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06 | | isa-62443-2009 | 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4 | | isa-62443-2013 | SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6 | | iso27001-2013 | A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3 | | nist | CM-6(a) | | nist-csf | DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3 | | pcidss | Req-11.5 | | os-srg | SRG-OS-000445-GPOS-00199 | | anssi | R76, R79 | | cis | 6.1.1 | | pcidss4 | 11.5.2 | | stigid | RHEL-09-651010 | | stigref | SV-258134r1045265_rule |
|
| Description | Run the following command to generate a new database:
$ sudo /usr/sbin/aide --init
By default, the database will be written to the file
/var/lib/aide/aide.db.new.gz.
Storing the database, the configuration file /etc/aide.conf, and the binary
/usr/sbin/aide
(or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity.
The newly-generated database can be installed as follows:
$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
To initiate a manual check, run the following command:
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. |
| Rationale | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. |
|
|
OVAL test results detailspackage aide is installed
oval:ssg-test_package_aide_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_aide_installed:obj:1 of type
rpminfo_object
Testing existence of operational aide database file
oval:ssg-test_aide_operational_database_absolute_path:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_operational_database_absolute_path:obj:1 of type
file_object
| Filepath |
|---|
| Referenced variable has no values (oval:ssg-variable_aide_operational_database_absolute_path:var:1) |
Configure AIDE to Verify the Audit Toolsxccdf_org.ssgproject.content_rule_aide_check_audit_tools mediumCCE-87757-1
Configure AIDE to Verify the Audit Tools
| Rule ID | xccdf_org.ssgproject.content_rule_aide_check_audit_tools |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-aide_check_audit_tools:def:1 |
| Time | 2025-09-21T20:22:51-05:00 |
| Severity | medium |
| Identifiers: | CCE-87757-1 |
| References: | |
| Description | The operating system file integrity tool must be configured to protect the integrity of the audit tools. |
| Rationale | Protecting the integrity of the tools used for auditing purposes is a
critical step toward ensuring the integrity of audit information. Audit
information includes all information (e.g., audit records, audit settings,
and audit reports) needed to successfully audit information system
activity.
Audit tools include but are not limited to vendor-provided and open-source
audit tools needed to successfully view and manipulate audit information
system activity and records. Audit tools include custom queries and report
generators.
It is not uncommon for attackers to replace the audit tools or inject code
into the existing tools to provide the capability to hide or erase system
activity from the audit logs.
To address this risk, audit tools must be cryptographically signed to
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. |
|
|
OVAL test results detailspackage aide is installed
oval:ssg-test_package_aide_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_aide_installed:obj:1 of type
rpminfo_object
auditctl is checked in /etc/aide.conf
oval:ssg-test_aide_verify_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_verify_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/aide.conf | ^\/usr\/sbin\/auditctl\s+([^\n]+)$ | 1 |
auditd is checked in /etc/aide.conf
oval:ssg-test_aide_verify_auditd:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_verify_auditd:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/aide.conf | ^/usr/sbin/auditd\s+([^\n]+)$ | 1 |
ausearch is checked in /etc/aide.conf
oval:ssg-test_aide_verify_ausearch:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_verify_ausearch:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/aide.conf | ^/usr/sbin/ausearch\s+([^\n]+)$ | 1 |
aureport is checked in /etc/aide.conf
oval:ssg-test_aide_verify_aureport:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_verify_aureport:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/aide.conf | ^/usr/sbin/aureport\s+([^\n]+)$ | 1 |
autrace is checked in /etc/aide.conf
oval:ssg-test_aide_verify_autrace:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_verify_autrace:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/aide.conf | ^/usr/sbin/autrace\s+([^\n]+)$ | 1 |
rsyslogd is checked in /etc/aide.conf
oval:ssg-test_aide_verify_rsyslogd:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_verify_rsyslogd:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/aide.conf | ^/usr/sbin/rsyslogd\s+([^\n]+)$ | 1 |
augenrules is checked in /etc/aide.conf
oval:ssg-test_aide_verify_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_verify_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/aide.conf | ^/usr/sbin/augenrules\s+([^\n]+)$ | 1 |
Configure Periodic Execution of AIDExccdf_org.ssgproject.content_rule_aide_periodic_cron_checking mediumCCE-83437-4
Configure Periodic Execution of AIDE
| Rule ID | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-aide_periodic_cron_checking:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | medium |
| Identifiers: | CCE-83437-4 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9 | | cjis | 5.10.1.3 | | cobit5 | APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06 | | isa-62443-2009 | 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4 | | isa-62443-2013 | SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6 | | iso27001-2013 | A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3 | | nist | SI-7, SI-7(1), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3 | | pcidss | Req-11.5 | | os-srg | SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | anssi | R76 | | cis | 6.1.2 | | pcidss4 | 11.5.2 | | stigid | RHEL-09-651015 | | stigref | SV-258135r1045267_rule |
|
| Description | At a minimum, AIDE should be configured to run a weekly scan.
To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --check
To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * 0 root /usr/sbin/aide --check
AIDE can be executed periodically through other means; this is merely one example.
The usage of cron's special time codes, such as @daily and
@weekly is acceptable. |
| Rationale | By default, AIDE does not install itself for periodic execution. Periodically
running AIDE is necessary to reveal unexpected changes in installed files.
Unauthorized changes to the baseline configuration could make the system vulnerable
to various attacks or allow unauthorized access to the operating system. Changes to
operating system configurations can have unintended side effects, some of which may
be relevant to security.
Detecting such changes and providing an automated response can help avoid unintended,
negative consequences that could ultimately affect the security state of the operating
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. |
|
|
OVAL test results detailspackage aide is installed
oval:ssg-test_package_aide_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_aide_installed:obj:1 of type
rpminfo_object
run aide with cron
oval:ssg-test_aide_periodic_cron_checking:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_test_aide_periodic_cron_checking:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/crontab | ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*\/usr\/sbin\/aide[\s]*\-\-check.*$ | 1 |
run aide with cron
oval:ssg-test_aide_crond_checking:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_test_aide_crond_checking:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/cron.d | ^.*$ | ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*\/usr\/sbin\/aide[\s]*\-\-check.*$ | 1 |
run aide with cron
oval:ssg-test_aide_var_cron_checking:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_var_cron_checking:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /var/spool/cron/root | ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*(root)?[\s]*\/usr\/sbin\/aide[\s]*\-\-check.*$ | 1 |
run aide with cron.(daily|weekly)
oval:ssg-test_aide_crontabs_checking:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_crontabs_checking:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| ^/etc/cron.(daily|weekly)$ | ^.*$ | ^[^#]*\/usr\/sbin\/aide\s+\-\-check\s*$ | 1 |
Configure Notification of Post-AIDE Scan Detailsxccdf_org.ssgproject.content_rule_aide_scan_notification mediumCCE-90844-2
Configure Notification of Post-AIDE Scan Details
| Rule ID | xccdf_org.ssgproject.content_rule_aide_scan_notification |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-aide_scan_notification:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | medium |
| Identifiers: | CCE-90844-2 |
| References: | | cis-csc | 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9 | | cobit5 | BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07 | | isa-62443-2009 | 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 6.2, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1 | | nist | CM-6(a), CM-3(5) | | nist-csf | DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3 | | os-srg | SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | anssi | R76 | | stigid | RHEL-09-651015 | | stigref | SV-258135r1045267_rule |
|
| Description | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
If AIDE has already been configured for periodic execution in /etc/crontab, append the
following line to the existing AIDE line:
| /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
Otherwise, add the following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
AIDE can be executed periodically through other means; this is merely one example. |
| Rationale | Unauthorized changes to the baseline configuration could make the system vulnerable
to various attacks or allow unauthorized access to the operating system. Changes to
operating system configurations can have unintended side effects, some of which may
be relevant to security.
Detecting such changes and providing an automated response can help avoid unintended,
negative consequences that could ultimately affect the security state of the operating
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. |
|
|
OVAL test results detailspackage aide is installed
oval:ssg-test_package_aide_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_aide_installed:obj:1 of type
rpminfo_object
notify personnel when aide completes
oval:ssg-test_aide_scan_notification:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_test_aide_scan_notification:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/crontab | ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ | 1 |
notify personnel when aide completes
oval:ssg-test_aide_var_cron_notification:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_var_cron_notification:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /var/spool/cron/root | ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ | 1 |
notify personnel when aide completes in cron.(daily|weekly|monthly)
oval:ssg-test_aide_crontabs_notification:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_crontabs_notification:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| ^/etc/cron.(d|daily|weekly|monthly)$ | ^.*$ | ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ | 1 |
Configure AIDE to Use FIPS 140-2 for Validating Hashesxccdf_org.ssgproject.content_rule_aide_use_fips_hashes mediumCCE-88939-4
Configure AIDE to Use FIPS 140-2 for Validating Hashes
| Rule ID | xccdf_org.ssgproject.content_rule_aide_use_fips_hashes |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-aide_use_fips_hashes:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | medium |
| Identifiers: | CCE-88939-4 |
| References: | | cis-csc | 2, 3 | | cobit5 | APO01.06, BAI03.05, BAI06.01, DSS06.02 | | cui | 3.13.11 | | isa-62443-2009 | 4.3.4.4.4 | | isa-62443-2013 | SR 3.1, SR 3.3, SR 3.4, SR 3.8 | | iso27001-2013 | A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4 | | nist | SI-7, SI-7(1), CM-6(a) | | nist-csf | PR.DS-6, PR.DS-8 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-651020 | | stigref | SV-258136r1045270_rule |
|
| Description | By default, the sha512 option is added to the NORMAL ruleset in AIDE.
If using a custom ruleset or the sha512 option is missing, add sha512
to the appropriate ruleset.
For example, add sha512 to the following line in /etc/aide.conf:
NORMAL = FIPSR+sha512
AIDE rules can be configured in multiple ways; this is merely one example that is already
configured by default. |
| Rationale | File integrity tools use cryptographic hashes for verifying file contents and directories
have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes. |
| Warnings | warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
|
|
OVAL test results detailsinstalled OS part of unix family
oval:ssg-test_rhel8_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
redhat-release is version 8
oval:ssg-test_rhel8:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| false | redhat-release | x86_64 | (none) | 0.1.el9 | 9.6 | 0:9.6-0.1.el9 | 199e2f91fd431d51 | redhat-release-0:9.6-0.1.el9.x86_64 |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
oraclelinux-release is version 8
oval:ssg-test_ol8_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type
rpminfo_object
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 8
oval:ssg-test_rhevh_rhel8_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
os-release is rhcos
oval:ssg-test_rhcos:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/os-release | ID="rhel" |
rhcoreos is version 4
oval:ssg-test_rhcos4:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/os-release | VERSION_ID="9.6" |
Check for variant=CoreOS
oval:ssg-test_rhel_coreos_variant:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel_coreos_variant:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/os-release | ^VARIANT_ID=(\S+)$ | 1 |
Check if VERSION_ID=9.x
oval:ssg-test_rhel_coreos_version9:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/os-release | VERSION_ID="9.6" |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
oraclelinux-release is version 7
oval:ssg-test_ol7_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type
rpminfo_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
oraclelinux-release is version 8
oval:ssg-test_ol8_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type
rpminfo_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
oraclelinux-release is version 9
oval:ssg-test_ol9_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol9_system:obj:1 of type
rpminfo_object
oraclelinux-release is version 9
oval:ssg-test_ol9_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol9_system:obj:1 of type
rpminfo_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
oraclelinux-release is version 9
oval:ssg-test_ol9_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol9_system:obj:1 of type
rpminfo_object
oraclelinux-release is version 9
oval:ssg-test_ol9_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol9_system:obj:1 of type
rpminfo_object
installed OS part of unix family
oval:ssg-test_sle12_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
sled-release is version 6
oval:ssg-test_sle12_desktop:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type
rpminfo_object
sles-release is version 6
oval:ssg-test_sle12_server:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type
rpminfo_object
SLES_SAP-release is version 12
oval:ssg-test_sles_12_for_sap:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type
rpminfo_object
installed OS part of unix family
oval:ssg-test_sle15_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
sled-release is version 15
oval:ssg-test_sle15_desktop:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type
rpminfo_object
sles-release is version 15
oval:ssg-test_sle15_server:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type
rpminfo_object
SLES_SAP-release is version 15
oval:ssg-test_sles_15_for_sap:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type
rpminfo_object
SUMA is version 4
oval:ssg-test_suma_4:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type
rpminfo_object
| Name |
|---|
| SUSE-Manager-Server-release |
SLE HPC release is version 15
oval:ssg-test_sle_hpc:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type
rpminfo_object
installed OS part of unix family
oval:ssg-test_slmicro5_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
sle-micro-release is version 5
oval:ssg-test_slmicroos5:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_slmicroos5:obj:1 of type
rpminfo_object
sle-micro-release is version 5
oval:ssg-test_slmicro5:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_slmicro5:obj:1 of type
rpminfo_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Check Ubuntu version
oval:ssg-test_ubuntu_xenial:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_xenial:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_CODENAME=xenial$ | 1 |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Check Ubuntu version
oval:ssg-test_ubuntu_bionic:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_bionic:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_CODENAME=bionic$ | 1 |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Check Ubuntu version
oval:ssg-test_ubuntu_focal:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_focal:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_CODENAME=focal$ | 1 |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Check Ubuntu version
oval:ssg-test_ubuntu_jammy:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_jammy:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_CODENAME=jammy$ | 1 |
package aide is installed
oval:ssg-test_package_aide_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_aide_installed:obj:1 of type
rpminfo_object
Verify non-FIPS hashes are not configured in /etc/aide.conf
oval:ssg-test_aide_non_fips_hashes:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_non_fips_hashes:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/aide.conf | ^[A-Z][a-zA-Z_]*[\s]*=[\s]*.*(sha1|rmd160|sha256|whirlpool|tiger|haval|gost|crc32).*$ | 0 |
Verify FIPS hashes are configured in /etc/aide.conf
oval:ssg-test_aide_use_fips_hashes:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_use_fips_hashes:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/aide.conf | ^[A-Z][A-Za-z_]*[\s]*=[\s]*([a-zA-Z0-9\+]*)$ | 1 |
Configure AIDE to Verify Access Control Lists (ACLs)xccdf_org.ssgproject.content_rule_aide_verify_acls lowCCE-90837-6
Configure AIDE to Verify Access Control Lists (ACLs)
| Rule ID | xccdf_org.ssgproject.content_rule_aide_verify_acls |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-aide_verify_acls:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | low |
| Identifiers: | CCE-90837-6 |
| References: | | cis-csc | 2, 3 | | cobit5 | APO01.06, BAI03.05, BAI06.01, DSS06.02 | | isa-62443-2009 | 4.3.4.4.4 | | isa-62443-2013 | SR 3.1, SR 3.3, SR 3.4, SR 3.8 | | iso27001-2013 | A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4 | | nist | SI-7, SI-7(1), CM-6(a) | | nist-csf | PR.DS-6, PR.DS-8 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R76 | | stigid | RHEL-09-651030 | | stigref | SV-258138r1045274_rule |
|
| Description | By default, the acl option is added to the FIPSR ruleset in AIDE.
If using a custom ruleset or the acl option is missing, add acl
to the appropriate ruleset.
For example, add acl to the following line in /etc/aide.conf:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already
configured by default.
The remediation provided with this rule adds acl to all rule sets available in
/etc/aide.conf
|
| Rationale | ACLs can provide permissions beyond those permitted through the file mode and must be
verified by the file integrity tools. |
|
|
OVAL test results detailspackage aide is installed
oval:ssg-test_package_aide_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_aide_installed:obj:1 of type
rpminfo_object
acl is set in /etc/aide.conf
oval:ssg-test_aide_verify_acls:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_verify_acls:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/aide.conf | ^(?!ALLXTRAHASHES)[A-Z][a-zA-Z_]*[\s]*=[\s]*([a-zA-Z0-9\+]*)$ | 1 |
Configure AIDE to Verify Extended Attributesxccdf_org.ssgproject.content_rule_aide_verify_ext_attributes lowCCE-83439-0
Configure AIDE to Verify Extended Attributes
| Rule ID | xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-aide_verify_ext_attributes:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | low |
| Identifiers: | CCE-83439-0 |
| References: | | cis-csc | 2, 3 | | cobit5 | APO01.06, BAI03.05, BAI06.01, DSS06.02 | | isa-62443-2009 | 4.3.4.4.4 | | isa-62443-2013 | SR 3.1, SR 3.3, SR 3.4, SR 3.8 | | iso27001-2013 | A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4 | | nist | SI-7, SI-7(1), CM-6(a) | | nist-csf | PR.DS-6, PR.DS-8 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R76 | | stigid | RHEL-09-651035 | | stigref | SV-258139r1045276_rule |
|
| Description | By default, the xattrs option is added to the FIPSR ruleset in AIDE.
If using a custom ruleset or the xattrs option is missing, add xattrs
to the appropriate ruleset.
For example, add xattrs to the following line in /etc/aide.conf:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already
configured by default.
The remediation provided with this rule adds xattrs to all rule sets available in
/etc/aide.conf
|
| Rationale | Extended attributes in file systems are used to contain arbitrary data and file metadata
with security implications. |
|
|
OVAL test results detailspackage aide is installed
oval:ssg-test_package_aide_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_aide_installed:obj:1 of type
rpminfo_object
xattrs is set in /etc/aide.conf
oval:ssg-test_aide_verify_ext_attributes:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_verify_ext_attributes:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/aide.conf | ^(?!ALLXTRAHASHES)[A-Z][a-zA-Z_]*[\s]*=[\s]*([a-zA-Z0-9\+]*)$ | 1 |
Audit Tools Must Be Group-owned by Rootxccdf_org.ssgproject.content_rule_file_audit_tools_group_ownership mediumCCE-86240-9
Audit Tools Must Be Group-owned by Root
| Rule ID | xccdf_org.ssgproject.content_rule_file_audit_tools_group_ownership |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_audit_tools_group_ownership:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | medium |
| Identifiers: | CCE-86240-9 |
| References: | | nist | AU-9 | | os-srg | SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099 | | stigid | RHEL-09-232225 | | stigref | SV-257925r991557_rule |
|
| Description | Red Hat Enterprise Linux 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.
Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
Audit tools must have the correct group owner. |
| Rationale | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data.
Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information. |
OVAL test results detailsTesting group ownership of /sbin/auditctl
oval:ssg-test_file_groupownerfile_audit_tools_group_ownership_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerfile_audit_tools_group_ownership_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /sbin/auditctl | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_0_0:ste:1 |
Testing group ownership of /sbin/aureport
oval:ssg-test_file_groupownerfile_audit_tools_group_ownership_1:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerfile_audit_tools_group_ownership_1:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /sbin/aureport | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_0_0:ste:1 |
Testing group ownership of /sbin/ausearch
oval:ssg-test_file_groupownerfile_audit_tools_group_ownership_2:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerfile_audit_tools_group_ownership_2:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /sbin/ausearch | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_0_0:ste:1 |
Testing group ownership of /sbin/autrace
oval:ssg-test_file_groupownerfile_audit_tools_group_ownership_3:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerfile_audit_tools_group_ownership_3:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /sbin/autrace | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_0_0:ste:1 |
Testing group ownership of /sbin/auditd
oval:ssg-test_file_groupownerfile_audit_tools_group_ownership_4:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerfile_audit_tools_group_ownership_4:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /sbin/auditd | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_0_0:ste:1 |
Testing group ownership of /sbin/rsyslogd
oval:ssg-test_file_groupownerfile_audit_tools_group_ownership_5:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerfile_audit_tools_group_ownership_5:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /sbin/rsyslogd | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_0_0:ste:1 |
Testing group ownership of /sbin/augenrules
oval:ssg-test_file_groupownerfile_audit_tools_group_ownership_6:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerfile_audit_tools_group_ownership_6:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /sbin/augenrules | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_0_0:ste:1 |
Audit Tools Must Be Owned by Rootxccdf_org.ssgproject.content_rule_file_audit_tools_ownership mediumCCE-86263-1
Audit Tools Must Be Owned by Root
| Rule ID | xccdf_org.ssgproject.content_rule_file_audit_tools_ownership |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_audit_tools_ownership:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | medium |
| Identifiers: | CCE-86263-1 |
| References: | | nist | AU-9 | | os-srg | SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099 | | stigid | RHEL-09-232220 | | stigref | SV-257924r991557_rule |
|
| Description | Red Hat Enterprise Linux 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.
Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
Audit tools must have the correct owner. |
| Rationale | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data.
Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information. |
OVAL test results detailsTesting user ownership of /sbin/auditctl
oval:ssg-test_file_ownerfile_audit_tools_ownership_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerfile_audit_tools_ownership_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /sbin/auditctl | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_ownerfile_audit_tools_ownership_0_0:ste:1 |
Testing user ownership of /sbin/aureport
oval:ssg-test_file_ownerfile_audit_tools_ownership_1:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerfile_audit_tools_ownership_1:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /sbin/aureport | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_ownerfile_audit_tools_ownership_0_0:ste:1 |
Testing user ownership of /sbin/ausearch
oval:ssg-test_file_ownerfile_audit_tools_ownership_2:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerfile_audit_tools_ownership_2:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /sbin/ausearch | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_ownerfile_audit_tools_ownership_0_0:ste:1 |
Testing user ownership of /sbin/autrace
oval:ssg-test_file_ownerfile_audit_tools_ownership_3:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerfile_audit_tools_ownership_3:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /sbin/autrace | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_ownerfile_audit_tools_ownership_0_0:ste:1 |
Testing user ownership of /sbin/auditd
oval:ssg-test_file_ownerfile_audit_tools_ownership_4:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerfile_audit_tools_ownership_4:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /sbin/auditd | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_ownerfile_audit_tools_ownership_0_0:ste:1 |
Testing user ownership of /sbin/rsyslogd
oval:ssg-test_file_ownerfile_audit_tools_ownership_5:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerfile_audit_tools_ownership_5:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /sbin/rsyslogd | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_ownerfile_audit_tools_ownership_0_0:ste:1 |
Testing user ownership of /sbin/augenrules
oval:ssg-test_file_ownerfile_audit_tools_ownership_6:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerfile_audit_tools_ownership_6:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /sbin/augenrules | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_ownerfile_audit_tools_ownership_0_0:ste:1 |
Audit Tools Must Have a Mode of 0755 or Less Permissivexccdf_org.ssgproject.content_rule_file_audit_tools_permissions mediumCCE-86228-4
Audit Tools Must Have a Mode of 0755 or Less Permissive
| Rule ID | xccdf_org.ssgproject.content_rule_file_audit_tools_permissions |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_audit_tools_permissions:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | medium |
| Identifiers: | CCE-86228-4 |
| References: | | nist | AU-9 | | os-srg | SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099 | | stigid | RHEL-09-232035 | | stigref | SV-257887r991557_rule |
|
| Description | Red Hat Enterprise Linux 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.
Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
Audit tools must have a mode of 0755 or less permissive. |
| Rationale | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data.
Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information. |
OVAL test results detailsTesting mode of /sbin/auditctl
oval:ssg-test_file_permissionsfile_audit_tools_permissions_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsfile_audit_tools_permissions_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /sbin/auditctl | oval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1 | oval:ssg-state_file_permissionsfile_audit_tools_permissions_0_mode_0755or_stricter_:ste:1 |
Testing mode of /sbin/aureport
oval:ssg-test_file_permissionsfile_audit_tools_permissions_1:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsfile_audit_tools_permissions_1:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /sbin/aureport | oval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1 | oval:ssg-state_file_permissionsfile_audit_tools_permissions_1_mode_0755or_stricter_:ste:1 |
Testing mode of /sbin/ausearch
oval:ssg-test_file_permissionsfile_audit_tools_permissions_2:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsfile_audit_tools_permissions_2:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /sbin/ausearch | oval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1 | oval:ssg-state_file_permissionsfile_audit_tools_permissions_2_mode_0755or_stricter_:ste:1 |
Testing mode of /sbin/autrace
oval:ssg-test_file_permissionsfile_audit_tools_permissions_3:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsfile_audit_tools_permissions_3:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /sbin/autrace | oval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1 | oval:ssg-state_file_permissionsfile_audit_tools_permissions_3_mode_0755or_stricter_:ste:1 |
Testing mode of /sbin/auditd
oval:ssg-test_file_permissionsfile_audit_tools_permissions_4:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsfile_audit_tools_permissions_4:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /sbin/auditd | oval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1 | oval:ssg-state_file_permissionsfile_audit_tools_permissions_4_mode_0755or_stricter_:ste:1 |
Testing mode of /sbin/rsyslogd
oval:ssg-test_file_permissionsfile_audit_tools_permissions_5:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsfile_audit_tools_permissions_5:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /sbin/rsyslogd | oval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1 | oval:ssg-state_file_permissionsfile_audit_tools_permissions_5_mode_0755or_stricter_:ste:1 |
Testing mode of /sbin/augenrules
oval:ssg-test_file_permissionsfile_audit_tools_permissions_6:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsfile_audit_tools_permissions_6:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /sbin/augenrules | oval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1 | oval:ssg-state_file_permissionsfile_audit_tools_permissions_6_mode_0755or_stricter_:ste:1 |
Enable Dracut FIPS Modulexccdf_org.ssgproject.content_rule_enable_dracut_fips_module highCCE-86547-7
Enable Dracut FIPS Module
| Rule ID | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-enable_dracut_fips_module:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | high |
| Identifiers: | CCE-86547-7 |
| References: | | ism | 1446 | | nerc-cip | CIP-003-8 R4.2, CIP-007-3 R5.1 | | nist | SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12 | | ospp | FCS_RBG_EXT.1 | | os-srg | SRG-OS-000478-GPOS-00223 | | stigid | RHEL-09-671010 | | stigref | SV-258230r958408_rule |
|
| Description |
Red Hat Enterprise Linux 9 has an installation-time kernel flag that can enable FIPS mode.
The installer must be booted with fips=1 for the system to have FIPS mode
enabled. Enabling FIPS mode on a preexisting system is not supported. If
this rule fails on an installed system, then this is a permanent
finding and cannot be fixed.
To enable FIPS, the system requires that the fips module is added in dracut configuration.
Check if /etc/dracut.conf.d/40-fips.conf contain add_dracutmodules+=" fips "
|
| Rationale | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. |
| Warnings | warning
To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported. warning
System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use cryptographic-based security
systems to protect sensitive information in computer and telecommunication systems
(including voice systems) as defined in Section 5131 of the Information Technology
Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing
and implementing cryptographic modules that Federal departments and agencies operate or are
operated for them under contract.
See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by a vendor that has
undergone this certification. This means providing documentation, test results, design
information, and independent third party review by an accredited lab. While open source
software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to
this process. |
OVAL test results detailsadd_dracutmodules contains fips
oval:ssg-test_enable_dracut_fips_module:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_enable_dracut_fips_module:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/dracut.conf.d/40-fips.conf | ^\s*add_dracutmodules\+="\s*(\w*)\s*"\s*(?:#.*)?$ | 1 |
Enable FIPS Modexccdf_org.ssgproject.content_rule_enable_fips_mode highCCE-88742-2
Enable FIPS Mode
| Rule ID | xccdf_org.ssgproject.content_rule_enable_fips_mode |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-enable_fips_mode:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | high |
| Identifiers: | CCE-88742-2 |
| References: | | ism | 1446 | | nerc-cip | CIP-003-8 R4.2, CIP-007-3 R5.1 | | nist | CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12 | | ospp | FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1 | | os-srg | SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176 | | stigid | RHEL-09-671010 | | stigref | SV-258230r958408_rule |
|
| Description |
Red Hat Enterprise Linux 9 has an installation-time kernel flag that can enable FIPS mode.
The installer must be booted with fips=1 for the system to have FIPS mode
enabled. Enabling FIPS mode on a preexisting system is not supported. If
this rule fails on an installed system, then this is a permanent
finding and cannot be fixed.
To enable FIPS mode at bootable container build time configure fips=1 kernel argument
in /usr/lib/bootc/kargs.d/01-fips.toml:
kargs = ["fips=1"]
Then set the cryptographic policy to FIPS:
update-crypto-policies --no-reload --set FIPS
|
| Rationale | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. |
| Warnings | warning
To configure Red Hat Enterprise Linux 9 to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
Only enabling FIPS 140 mode during the Red Hat Enterprise Linux 9 installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place.
Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported. |
|
|
OVAL test results detailspackage kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
Check if /.dockerenv exists
oval:ssg-test_installed_env_is_a_docker_container:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_installed_env_is_a_docker_container:obj:1 of type
file_object
Check if /.dockerenv exists
oval:ssg-test_installed_env_is_a_docker_container:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_installed_env_is_a_docker_container:obj:1 of type
file_object
Check if /run/.containerenv exists
oval:ssg-test_installed_env_is_a_podman_container:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_installed_env_is_a_podman_container:obj:1 of type
file_object
| Filepath |
|---|
| /run/.containerenv |
Check if /run/.containerenv exists
oval:ssg-test_installed_env_is_a_podman_container:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_installed_env_is_a_podman_container:obj:1 of type
file_object
| Filepath |
|---|
| /run/.containerenv |
Check if /.dockerenv exists
oval:ssg-test_installed_env_is_a_docker_container:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_installed_env_is_a_docker_container:obj:1 of type
file_object
Check if /.dockerenv exists
oval:ssg-test_installed_env_is_a_docker_container:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_installed_env_is_a_docker_container:obj:1 of type
file_object
Check if /run/.containerenv exists
oval:ssg-test_installed_env_is_a_podman_container:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_installed_env_is_a_podman_container:obj:1 of type
file_object
| Filepath |
|---|
| /run/.containerenv |
Check if /run/.containerenv exists
oval:ssg-test_installed_env_is_a_podman_container:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_installed_env_is_a_podman_container:obj:1 of type
file_object
| Filepath |
|---|
| /run/.containerenv |
check for crypto policy correctly configured in /etc/crypto-policies/config
oval:ssg-test_configure_crypto_policy:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/crypto-policies/config | DEFAULT |
check for crypto policy correctly configured in /etc/crypto-policies/state/current
oval:ssg-test_configure_crypto_policy_current:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/crypto-policies/state/current | DEFAULT |
Check if update-crypto-policies has been run
oval:ssg-test_crypto_policies_updated:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-variable_crypto_policies_config_file_timestamp:var:1 | 1758413152 |
Check if /etc/crypto-policies/back-ends/nss.config exists
oval:ssg-test_crypto_policy_nss_config:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|
| not evaluated | /etc/crypto-policies/back-ends/nss.config | regular | 0 | 0 | 447 | rw-r--r-- |
test if var_system_crypto_policy selection is set to FIPS
oval:ssg-test_system_crypto_policy_value:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-var_system_crypto_policy:var:1 | FIPS |
check if fips=1 present in the /usr/lib/bootc/kargs.d/*.toml
oval:ssg-test_fips_1_argument_in_usr_lib_bootc_kargs_d:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_fips_1_argument_in_usr_lib_bootc_kargs_d:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/bootc/kargs.d/ | ^.*\.toml$ | ^kargs[\s]*=[\s]*\[([^\]]+)\]$ | 1 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
Check if /.dockerenv exists
oval:ssg-test_installed_env_is_a_docker_container:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_installed_env_is_a_docker_container:obj:1 of type
file_object
Check if /.dockerenv exists
oval:ssg-test_installed_env_is_a_docker_container:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_installed_env_is_a_docker_container:obj:1 of type
file_object
Check if /run/.containerenv exists
oval:ssg-test_installed_env_is_a_podman_container:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_installed_env_is_a_podman_container:obj:1 of type
file_object
| Filepath |
|---|
| /run/.containerenv |
Check if /run/.containerenv exists
oval:ssg-test_installed_env_is_a_podman_container:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_installed_env_is_a_podman_container:obj:1 of type
file_object
| Filepath |
|---|
| /run/.containerenv |
Check if /.dockerenv exists
oval:ssg-test_installed_env_is_a_docker_container:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_installed_env_is_a_docker_container:obj:1 of type
file_object
Check if /.dockerenv exists
oval:ssg-test_installed_env_is_a_docker_container:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_installed_env_is_a_docker_container:obj:1 of type
file_object
Check if /run/.containerenv exists
oval:ssg-test_installed_env_is_a_podman_container:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_installed_env_is_a_podman_container:obj:1 of type
file_object
| Filepath |
|---|
| /run/.containerenv |
Check if /run/.containerenv exists
oval:ssg-test_installed_env_is_a_podman_container:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_installed_env_is_a_podman_container:obj:1 of type
file_object
| Filepath |
|---|
| /run/.containerenv |
kernel runtime parameter crypto.fips_enabled set to 1
oval:ssg-test_proc_sys_crypto_fips_enabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_proc_sys_crypto_fips_enabled:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /proc/sys/crypto/fips_enabled | ^1$ | 1 |
kernel runtime parameter crypto.fips_enabled set to 1
oval:ssg-test_sysctl_crypto_fips_enabled:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | crypto.fips_enabled | 0 |
check for crypto policy correctly configured in /etc/crypto-policies/config
oval:ssg-test_configure_crypto_policy:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/crypto-policies/config | DEFAULT |
check for crypto policy correctly configured in /etc/crypto-policies/state/current
oval:ssg-test_configure_crypto_policy_current:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/crypto-policies/state/current | DEFAULT |
Check if update-crypto-policies has been run
oval:ssg-test_crypto_policies_updated:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-variable_crypto_policies_config_file_timestamp:var:1 | 1758413152 |
Check if /etc/crypto-policies/back-ends/nss.config exists
oval:ssg-test_crypto_policy_nss_config:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|
| not evaluated | /etc/crypto-policies/back-ends/nss.config | regular | 0 | 0 | 447 | rw-r--r-- |
test if var_system_crypto_policy selection is set to FIPS
oval:ssg-test_system_crypto_policy_value:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-var_system_crypto_policy:var:1 | FIPS |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
check if kernel option fips=1 is present in options in /boot/loader/entries/.*.conf
oval:ssg-test_fips_1_argument_in_boot_loader_entries_conf:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /boot/loader/entries/563df4c43387434ca51a65ee039b44ee-5.14.0-570.44.1.el9_6.x86_64.conf | options root=/dev/mapper/rhel_desktop--rncu7uo-root ro crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=/dev/mapper/rhel_desktop--rncu7uo-swap rd.lvm.lv=rhel_desktop-rncu7uo/root rd.lvm.lv=rhel_desktop-rncu7uo/swap rhgb quiet |
| false | /boot/loader/entries/563df4c43387434ca51a65ee039b44ee-0-rescue.conf | options root=/dev/mapper/rhel_desktop--rncu7uo-root ro crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=/dev/mapper/rhel_desktop--rncu7uo-swap rd.lvm.lv=rhel_desktop-rncu7uo/root rd.lvm.lv=rhel_desktop-rncu7uo/swap rhgb quiet |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
check if kernel option fips=1 is present in options in /boot/loader/entries/.*.conf
oval:ssg-test_fips_1_argument_in_boot_loader_entries_conf:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /boot/loader/entries/563df4c43387434ca51a65ee039b44ee-5.14.0-570.44.1.el9_6.x86_64.conf | options root=/dev/mapper/rhel_desktop--rncu7uo-root ro crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=/dev/mapper/rhel_desktop--rncu7uo-swap rd.lvm.lv=rhel_desktop-rncu7uo/root rd.lvm.lv=rhel_desktop-rncu7uo/swap rhgb quiet |
| false | /boot/loader/entries/563df4c43387434ca51a65ee039b44ee-0-rescue.conf | options root=/dev/mapper/rhel_desktop--rncu7uo-root ro crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=/dev/mapper/rhel_desktop--rncu7uo-swap rd.lvm.lv=rhel_desktop-rncu7uo/root rd.lvm.lv=rhel_desktop-rncu7uo/swap rhgb quiet |
FIPS Must Use a Supported Subpolicyxccdf_org.ssgproject.content_rule_fips_crypto_subpolicy mediumCCE-86538-6
FIPS Must Use a Supported Subpolicy
| Rule ID | xccdf_org.ssgproject.content_rule_fips_crypto_subpolicy |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-fips_crypto_subpolicy:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | medium |
| Identifiers: | CCE-86538-6 |
| References: | |
| Description | Sub-policies can be used to modify existing crypto policies.
Some sub-policies such as NO-ENFORCE-EMS reduce the security of the system and should not be used.
Other such as AD-SUPPORT should only be enabled if operationally required.
The OSPP, NO-SHA1, NO-CAMELLIA, and ECDHE-ONLY are allowed by this rule. |
| Rationale | Sub-policies can cause insecure ciphers to be used. |
| Warnings | warning
This rule does not have a remediation. |
OVAL test results detailsCorrect sub policy enabled
oval:ssg-test_fips_crypto_subpolicy:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_fips_crypto_subpolicy:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/crypto-policies/config | ^FIPS$|^FIPS:(OSPP|NO-SHA1|NO-CAMELLIA|ECDHE-ONLY)$ | 1 |
Set kernel parameter 'crypto.fips_enabled' to 1xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled highCCE-83441-6
Set kernel parameter 'crypto.fips_enabled' to 1
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_crypto_fips_enabled:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | high |
| Identifiers: | CCE-83441-6 |
| References: | | nerc-cip | CIP-003-8 R4.2, CIP-007-3 R5.1 | | nist | SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12 | | os-srg | SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187, SRG-OS-000478-GPOS-00223 | | stigid | RHEL-09-671010 | | stigref | SV-258230r958408_rule |
|
| Description | System running in FIPS mode is indicated by kernel parameter
'crypto.fips_enabled'. This parameter should be set to 1 in FIPS mode.
Red Hat Enterprise Linux 9 has an installation-time kernel flag that can enable FIPS mode.
The installer must be booted with fips=1 for the system to have FIPS mode
enabled. Enabling FIPS mode on a preexisting system is not supported. If
this rule fails on an installed system, then this is a permanent
finding and cannot be fixed.
To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot
parameters during system installation so key generation is done with FIPS-approved algorithms
and continuous monitoring tests in place. |
| Rationale | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use cryptographic-based security
systems to protect sensitive information in computer and telecommunication systems
(including voice systems) as defined in Section 5131 of the Information Technology
Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing
and implementing cryptographic modules that Federal departments and agencies operate or are
operated for them under contract.
See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by a vendor that has
undergone this certification. This means providing documentation, test results, design
information, and independent third party review by an accredited lab. While open source
software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to
this process. |
OVAL test results detailskernel runtime parameter crypto.fips_enabled set to 1
oval:ssg-test_sysctl_crypto_fips_enabled:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | crypto.fips_enabled | 0 |
Install crypto-policies packagexccdf_org.ssgproject.content_rule_package_crypto-policies_installed mediumCCE-83442-4
Install crypto-policies package
| Rule ID | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_crypto-policies_installed:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | medium |
| Identifiers: | CCE-83442-4 |
| References: | | ospp | FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1 | | os-srg | SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | stigid | RHEL-09-215100 | | stigref | SV-258234r1051250_rule |
|
| Description | The crypto-policies package can be installed with the following command:
$ sudo dnf install crypto-policies
|
| Rationale | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. |
OVAL test results detailspackage crypto-policies is installed
oval:ssg-test_package_crypto-policies_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | crypto-policies | noarch | (none) | 1.git5269e22.el9 | 20250128 | 0:20250128-1.git5269e22.el9 | 199e2f91fd431d51 | crypto-policies-0:20250128-1.git5269e22.el9.noarch |
Configure BIND to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_bind_crypto_policy highCCE-83451-5
Configure BIND to use System Crypto Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | high |
| Identifiers: | CCE-83451-5 |
| References: | | nerc-cip | CIP-003-8 R4.2, CIP-007-3 R5.1 | | nist | SC-13, SC-12(2), SC-12(3) | | os-srg | SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190 | | stigid | RHEL-09-672050 | | stigref | SV-258242r958908_rule |
|
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
BIND is supported by crypto policy, but the BIND configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, ensure that the /etc/named.conf
includes the appropriate configuration:
In the options section of /etc/named.conf, make sure that the following line
is not commented out or superseded by later includes:
include "/etc/crypto-policies/back-ends/bind.config";
|
| Rationale | Overriding the system crypto policy makes the behavior of the BIND service violate expectations,
and makes system configuration more fragmented. |
Configure System Cryptography Policyxccdf_org.ssgproject.content_rule_configure_crypto_policy highCCE-83450-7
Configure System Cryptography Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_crypto_policy |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_crypto_policy:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | high |
| Identifiers: | CCE-83450-7 |
| References: | | hipaa | 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii) | | ism | 1446 | | nerc-cip | CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1 | | nist | AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3) | | ospp | FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1 | | os-srg | SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | ccn | A.5.SEC-RHEL4 | | cis | 1.6.1 | | pcidss4 | 2.2.7, 2.2 | | stigid | RHEL-09-215105, RHEL-09-671010, RHEL-09-672030 | | stigref | SV-258241r1051259_rule, SV-258230r958408_rule |
|
| Description | To configure the system cryptography policy to use ciphers only from the FIPS
policy, run the following command:
$ sudo update-crypto-policies --set FIPS
The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied.
Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon. |
| Rationale | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
|
|
|
OVAL test results detailscheck for crypto policy correctly configured in /etc/crypto-policies/config
oval:ssg-test_configure_crypto_policy:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/crypto-policies/config | DEFAULT |
check for crypto policy correctly configured in /etc/crypto-policies/state/current
oval:ssg-test_configure_crypto_policy_current:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/crypto-policies/state/current | DEFAULT |
Check if update-crypto-policies has been run
oval:ssg-test_crypto_policies_updated:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-variable_crypto_policies_config_file_timestamp:var:1 | 1758413152 |
Check if /etc/crypto-policies/back-ends/nss.config exists
oval:ssg-test_crypto_policy_nss_config:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|
| not evaluated | /etc/crypto-policies/back-ends/nss.config | regular | 0 | 0 | 447 | rw-r--r-- |
Configure Kerberos to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy highCCE-83449-9
Configure Kerberos to use System Crypto Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_kerberos_crypto_policy:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | high |
| Identifiers: | CCE-83449-9 |
| References: | |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
Kerberos is supported by crypto policy, but it's configuration may be
set up to ignore it.
To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. |
| Rationale | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. |
OVAL test results detailsCheck if kerberos configuration symlink and crypto policy kerberos backend symlink point to same file
oval:ssg-test_configure_kerberos_crypto_policy_symlink:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1 | /usr/share/crypto-policies/DEFAULT/krb5.txt |
Check if kerberos configuration symlink links to the crypto-policy backend file
oval:ssg-test_configure_kerberos_crypto_policy_nosymlink:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1 | /usr/share/crypto-policies/DEFAULT/krb5.txt |
Configure Libreswan to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy highCCE-83446-5
Configure Libreswan to use System Crypto Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_libreswan_crypto_policy:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | high |
| Identifiers: | CCE-83446-5 |
| References: | |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
Libreswan is supported by system crypto policy, but the Libreswan configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, ensure that the /etc/ipsec.conf
includes the appropriate configuration file.
In /etc/ipsec.conf, make sure that the following line
is not commented out or superseded by later includes:
include /etc/crypto-policies/back-ends/libreswan.config
|
| Rationale | Overriding the system crypto policy makes the behavior of the Libreswan
service violate expectations, and makes system configuration more
fragmented. |
OVAL test results detailspackage libreswan is installed
oval:ssg-test_package_libreswan_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | libreswan | x86_64 | (none) | 8.el9 | 4.15 | 0:4.15-8.el9 | 199e2f91fd431d51 | libreswan-0:4.15-8.el9.x86_64 |
Check that the libreswan configuration includes the crypto policy config file
oval:ssg-test_configure_libreswan_crypto_policy:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/ipsec.conf | include /etc/crypto-policies/back-ends/libreswan.config
# It is best to add your IPsec connections as separate files |
Configure SSH Client to Use FIPS 140 Validated Ciphers: openssh.configxccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy highCCE-90125-6
Configure SSH Client to Use FIPS 140 Validated Ciphers: openssh.config
| Rule ID | xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-harden_sshd_ciphers_openssh_conf_crypto_policy:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | high |
| Identifiers: | CCE-90125-6 |
| References: | | nist | AC-17(2) | | os-srg | SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000423-GPOS-00187 | | stigid | RHEL-09-255064 | | stigref | SV-270177r1051237_rule |
|
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
set up incorrectly.
To check that Crypto Policies settings for ciphers are configured correctly, ensure that
/etc/crypto-policies/back-ends/openssh.config contains the following
line and is not commented out:
Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
|
| Rationale | Overriding the system crypto policy makes the behavior of the OpenSSH client
violate expectations, and makes system configuration more fragmented. By
specifying a cipher list with the order of ciphers being in a “strongest to
weakest” orientation, the system will automatically attempt to use the
strongest cipher for securing SSH connections. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract.
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
OVAL test results detailstest the value of Ciphers setting in the /etc/crypto-policies/back-ends/openssh.config file
oval:ssg-test_harden_sshd_ciphers_openssh_conf_crypto_policy:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/crypto-policies/back-ends/openssh.config | Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr |
Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.configxccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy mediumCCE-87332-3
Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config
| Rule ID | xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-harden_sshd_ciphers_opensshserver_conf_crypto_policy:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | medium |
| Identifiers: | CCE-87332-3 |
| References: | | nist | AC-17(2) | | os-srg | SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093 | | stigid | RHEL-09-255065 | | stigref | SV-257989r1051240_rule |
|
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
set up incorrectly.
To check that Crypto Policies settings for ciphers are configured correctly, ensure that
/etc/crypto-policies/back-ends/opensshserver.config contains the following
text and is not commented out:
-oCiphers=aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
|
| Rationale | Overriding the system crypto policy makes the behavior of the OpenSSH server
violate expectations, and makes system configuration more fragmented. By
specifying a cipher list with the order of ciphers being in a “strongest to
weakest” orientation, the system will automatically attempt to use the
strongest cipher for securing SSH connections. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
OVAL test results detailstest the value of Ciphers setting in the /etc/crypto-policies/back-ends/opensshserver.config file
oval:ssg-test_harden_sshd_ciphers_opensshserver_conf_crypto_policy:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/crypto-policies/back-ends/opensshserver.config | Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr |
Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.configxccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy mediumCCE-86208-6
Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config
| Rule ID | xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-harden_sshd_macs_openssh_conf_crypto_policy:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | medium |
| Identifiers: | CCE-86208-6 |
| References: | | nist | AC-17(2) | | os-srg | SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093 | | stigid | RHEL-09-255070 | | stigref | SV-270178r1051243_rule |
|
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
set up incorrectly.
To check that Crypto Policies settings are configured correctly, ensure that
/etc/crypto-policies/back-ends/openssh.config contains the following
line and is not commented out:
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
|
| Rationale | Overriding the system crypto policy makes the behavior of the OpenSSH
client violate expectations, and makes system configuration more
fragmented. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
OVAL test results detailstest the value of MACs setting in the /etc/crypto-policies/back-ends/openssh.config file
oval:ssg-test_harden_sshd_macs_openssh_conf_crypto_policy:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/crypto-policies/back-ends/openssh.config | MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 |
Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.configxccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy mediumCCE-87567-4
Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config
| Rule ID | xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-harden_sshd_macs_opensshserver_conf_crypto_policy:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | medium |
| Identifiers: | CCE-87567-4 |
| References: | | nist | AC-17(2) | | os-srg | SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093 | | stigid | RHEL-09-255075 | | stigref | SV-257991r1051246_rule |
|
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
set up incorrectly.
To check that Crypto Policies settings are configured correctly, ensure that
/etc/crypto-policies/back-ends/opensshserver.config contains the following
text and is not commented out:
-oMACS=hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
|
| Rationale | Overriding the system crypto policy makes the behavior of the OpenSSH
server violate expectations, and makes system configuration more
fragmented. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
OVAL test results detailstest the value of MACs setting in the /etc/crypto-policies/back-ends/opensshserver.config file
oval:ssg-test_harden_sshd_macs_opensshserver_conf_crypto_policy:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/crypto-policies/back-ends/opensshserver.config | MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 |
The Installed Operating System Is Vendor Supportedxccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported highCCE-83453-1
The Installed Operating System Is Vendor Supported
| Rule ID | xccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-installed_OS_is_vendor_supported:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | high |
| Identifiers: | CCE-83453-1 |
| References: | | cis-csc | 18, 20, 4 | | cobit5 | APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02 | | isa-62443-2009 | 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9 | | iso27001-2013 | A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3 | | nist | CM-6(a), MA-6, SA-13(a) | | nist-csf | ID.RA-1, PR.IP-12 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-211010 | | stigref | SV-257777r991589_rule |
|
| Description | The installed operating system must be maintained by a vendor.
Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise
Linux vendor, Red Hat, Inc. is responsible for providing security patches. |
| Rationale | An operating system is considered "supported" if the vendor continues to
provide security patches for the product. With an unsupported release, it
will not be possible to resolve any security issue discovered in the system
software. |
| Warnings | warning
There is no remediation besides switching to a different operating system. |
OVAL test results detailsTest installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
/etc/almalinux-release exists
oval:ssg-test_almalinux:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_almalinux:obj:1 of type
file_object
| Filepath |
|---|
| /etc/almalinux-release |
Check Custom OS version
oval:ssg-test_almalinux9:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_almalinux9:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/almalinux-release | ^AlmaLinux release 9.[0-9]+ .*$ | 1 |
installed OS part of unix family
oval:ssg-test_rhel8_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
redhat-release is version 8
oval:ssg-test_rhel8:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| false | redhat-release | x86_64 | (none) | 0.1.el9 | 9.6 | 0:9.6-0.1.el9 | 199e2f91fd431d51 | redhat-release-0:9.6-0.1.el9.x86_64 |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
oraclelinux-release is version 8
oval:ssg-test_ol8_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type
rpminfo_object
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 8
oval:ssg-test_rhevh_rhel8_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family
oval:ssg-test_rhel9_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
installed OS part of unix family
oval:ssg-test_rhel9_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
redhat-release is version 9
oval:ssg-test_rhel9:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| true | redhat-release | x86_64 | (none) | 0.1.el9 | 9.6 | 0:9.6-0.1.el9 | 199e2f91fd431d51 | redhat-release-0:9.6-0.1.el9.x86_64 |
redhat-release is version 9
oval:ssg-test_rhel9:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| true | redhat-release | x86_64 | (none) | 0.1.el9 | 9.6 | 0:9.6-0.1.el9 | 199e2f91fd431d51 | redhat-release-0:9.6-0.1.el9.x86_64 |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
oraclelinux-release is version 9
oval:ssg-test_ol9_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol9_system:obj:1 of type
rpminfo_object
oraclelinux-release is version 9
oval:ssg-test_ol9_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol9_system:obj:1 of type
rpminfo_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
oraclelinux-release is version 9
oval:ssg-test_ol9_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol9_system:obj:1 of type
rpminfo_object
oraclelinux-release is version 9
oval:ssg-test_ol9_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol9_system:obj:1 of type
rpminfo_object
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 9
oval:ssg-test_rhevh_rhel9_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel9_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 9
oval:ssg-test_rhevh_rhel9_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel9_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family
oval:ssg-test_rhel9_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
installed OS part of unix family
oval:ssg-test_rhel9_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
redhat-release is version 9
oval:ssg-test_rhel9:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| true | redhat-release | x86_64 | (none) | 0.1.el9 | 9.6 | 0:9.6-0.1.el9 | 199e2f91fd431d51 | redhat-release-0:9.6-0.1.el9.x86_64 |
redhat-release is version 9
oval:ssg-test_rhel9:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| true | redhat-release | x86_64 | (none) | 0.1.el9 | 9.6 | 0:9.6-0.1.el9 | 199e2f91fd431d51 | redhat-release-0:9.6-0.1.el9.x86_64 |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
oraclelinux-release is version 9
oval:ssg-test_ol9_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol9_system:obj:1 of type
rpminfo_object
oraclelinux-release is version 9
oval:ssg-test_ol9_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol9_system:obj:1 of type
rpminfo_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
oraclelinux-release is version 9
oval:ssg-test_ol9_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol9_system:obj:1 of type
rpminfo_object
oraclelinux-release is version 9
oval:ssg-test_ol9_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol9_system:obj:1 of type
rpminfo_object
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 9
oval:ssg-test_rhevh_rhel9_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel9_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 9
oval:ssg-test_rhevh_rhel9_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel9_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family
oval:ssg-test_rhel10_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
redhat-release is version 10
oval:ssg-test_rhel10:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| false | redhat-release | x86_64 | (none) | 0.1.el9 | 9.6 | 0:9.6-0.1.el9 | 199e2f91fd431d51 | redhat-release-0:9.6-0.1.el9.x86_64 |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 10
oval:ssg-test_rhevh_rhel10_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel10_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
oraclelinux-release is version 7
oval:ssg-test_ol7_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type
rpminfo_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
oraclelinux-release is version 8
oval:ssg-test_ol8_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type
rpminfo_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
oraclelinux-release is version 9
oval:ssg-test_ol9_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol9_system:obj:1 of type
rpminfo_object
oraclelinux-release is version 9
oval:ssg-test_ol9_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol9_system:obj:1 of type
rpminfo_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
oraclelinux-release is version 9
oval:ssg-test_ol9_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol9_system:obj:1 of type
rpminfo_object
oraclelinux-release is version 9
oval:ssg-test_ol9_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol9_system:obj:1 of type
rpminfo_object
installed OS part of unix family
oval:ssg-test_sle12_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
sled-release is version 6
oval:ssg-test_sle12_desktop:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type
rpminfo_object
sles-release is version 6
oval:ssg-test_sle12_server:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type
rpminfo_object
SLES_SAP-release is version 12
oval:ssg-test_sles_12_for_sap:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type
rpminfo_object
installed OS part of unix family
oval:ssg-test_sle15_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
sled-release is version 15
oval:ssg-test_sle15_desktop:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type
rpminfo_object
sles-release is version 15
oval:ssg-test_sle15_server:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type
rpminfo_object
SLES_SAP-release is version 15
oval:ssg-test_sles_15_for_sap:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type
rpminfo_object
SUMA is version 4
oval:ssg-test_suma_4:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type
rpminfo_object
| Name |
|---|
| SUSE-Manager-Server-release |
SLE HPC release is version 15
oval:ssg-test_sle_hpc:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type
rpminfo_object
installed OS part of unix family
oval:ssg-test_slmicro5_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
sle-micro-release is version 5
oval:ssg-test_slmicroos5:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_slmicroos5:obj:1 of type
rpminfo_object
sle-micro-release is version 5
oval:ssg-test_slmicro5:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_slmicro5:obj:1 of type
rpminfo_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Check Ubuntu version
oval:ssg-test_ubuntu_noble:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_noble:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_CODENAME=noble$ | 1 |
Encrypt Partitionsxccdf_org.ssgproject.content_rule_encrypt_partitions highCCE-90849-1
Encrypt Partitions
| Rule ID | xccdf_org.ssgproject.content_rule_encrypt_partitions |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | high |
| Identifiers: | CCE-90849-1 |
| References: | | cis-csc | 13, 14 | | cobit5 | APO01.06, BAI02.01, BAI06.01, DSS04.07, DSS05.03, DSS05.04, DSS05.07, DSS06.02, DSS06.06 | | cui | 3.13.16 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(b)(1), 164.310(d), 164.312(a)(1), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.314(b)(2)(i), 164.312(d) | | isa-62443-2013 | SR 3.4, SR 4.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R4.2, CIP-007-3 R5.1 | | nist | CM-6(a), SC-28, SC-28(1), SC-13, AU-9(3) | | nist-csf | PR.DS-1, PR.DS-5 | | os-srg | SRG-OS-000405-GPOS-00184, SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183 | | ccn | A.25.SEC-RHEL1 | | stigid | RHEL-09-231190 | | stigref | SV-257879r1045454_rule |
|
| Description | Red Hat Enterprise Linux 9 natively supports partition encryption through the
Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to
encrypt a partition is during installation time.
For manual installations, select the Encrypt checkbox during
partition creation to encrypt the partition. When this
option is selected the system will prompt for a passphrase to use in
decrypting the partition. The passphrase will subsequently need to be entered manually
every time the system boots.
For automated/unattended installations, it is possible to use Kickstart by adding
the --encrypted and --passphrase= options to the definition of each partition to be
encrypted. For example, the following line would encrypt the root partition:
part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE
Any PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart
must then be protected accordingly.
Omitting the --passphrase= option from the partition definition will cause the
installer to pause and interactively ask for the passphrase during installation.
By default, the Anaconda installer uses aes-xts-plain64 cipher
with a minimum 512 bit key size which should be compatible with FIPS enabled.
Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on
the Red Hat Enterprise Linux 9 Documentation web site:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening
. |
| Rationale | The risk of a system's physical compromise, particularly mobile systems such as
laptops, places its data at risk of compromise. Encrypting this data mitigates
the risk of its loss if the system is lost. |
Evaluation messagesinfo
No candidate or applicable check found. |
Ensure /home Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_home lowCCE-83468-9
Ensure /home Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_home |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-partition_for_home:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | low |
| Identifiers: | CCE-83468-9 |
| References: | | cis-csc | 12, 15, 8 | | cobit5 | APO13.01, DSS05.02 | | isa-62443-2013 | SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | | iso27001-2013 | A.13.1.1, A.13.2.1, A.14.1.3 | | nist | CM-6(a), SC-5(2) | | nist-csf | PR.PT-4 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R28 | | cis | 1.1.2.3.1 | | stigid | RHEL-09-231010 | | stigref | SV-257843r991589_rule |
|
| Description | If user home directories will be stored locally, create a separate partition
for /home at installation time (or migrate it later using LVM). If
/home will be mounted from another system such as an NFS server, then
creating a separate partition is not necessary at installation time, and the
mountpoint can instead be configured later. |
| Rationale | Ensuring that /home is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. |
|
|
|
OVAL test results details/home on own partition
oval:ssg-testhome_partition:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_mounthome_own_partition:obj:1 of type
partition_object
Ensure /tmp Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_tmp lowCCE-90845-9
Ensure /tmp Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_tmp |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-partition_for_tmp:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | low |
| Identifiers: | CCE-90845-9 |
| References: | | cis-csc | 12, 15, 8 | | cobit5 | APO13.01, DSS05.02 | | isa-62443-2013 | SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | | iso27001-2013 | A.13.1.1, A.13.2.1, A.14.1.3 | | nist | CM-6(a), SC-5(2) | | nist-csf | PR.PT-4 | | os-srg | SRG-OS-000480-GPOS-00227 | | cis | 1.1.2.1.1 | | stigid | RHEL-09-231015 | | stigref | SV-257844r1044918_rule |
|
| Description | The /tmp directory is a world-writable directory used
for temporary file storage. Ensure it has its own partition or
logical volume at installation time, or migrate it using LVM. |
| Rationale | The /tmp partition is used as temporary storage by many programs.
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. |
|
|
|
OVAL test results details/tmp on own partition
oval:ssg-testtmp_partition:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_mounttmp_own_partition:obj:1 of type
partition_object
Ensure /var Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var lowCCE-83466-3
Ensure /var Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-partition_for_var:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | low |
| Identifiers: | CCE-83466-3 |
| References: | | cis-csc | 12, 15, 8 | | cobit5 | APO13.01, DSS05.02 | | isa-62443-2013 | SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | | iso27001-2013 | A.13.1.1, A.13.2.1, A.14.1.3 | | nist | CM-6(a), SC-5(2) | | nist-csf | PR.PT-4 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R28 | | cis | 1.1.2.4.1 | | stigid | RHEL-09-231020 | | stigref | SV-257845r1044920_rule |
|
| Description | The /var directory is used by daemons and other system
services to store frequently-changing data. Ensure that /var has its own partition
or logical volume at installation time, or migrate it using LVM. |
| Rationale | Ensuring that /var is mounted on its own partition enables the
setting of more restrictive mount options. This helps protect
system services such as daemons or other programs which use it.
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. |
|
|
|
OVAL test results details/var on own partition
oval:ssg-testvar_partition:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_mountvar_own_partition:obj:1 of type
partition_object
Ensure /var/log Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log lowCCE-90848-3
Ensure /var/log Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_log |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-partition_for_var_log:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | low |
| Identifiers: | CCE-90848-3 |
| References: | | cis-csc | 1, 12, 14, 15, 16, 3, 5, 6, 8 | | cobit5 | APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01 | | isa-62443-2009 | 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3 | | nerc-cip | CIP-007-3 R6.5 | | nist | CM-6(a), AU-4, SC-5(2) | | nist-csf | PR.PT-1, PR.PT-4 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R28 | | cis | 1.1.2.6.1 | | stigid | RHEL-09-231025 | | stigref | SV-257846r1044922_rule |
|
| Description | System logs are stored in the /var/log directory.
Ensure that /var/log has its own partition or logical
volume at installation time, or migrate it using LVM. |
| Rationale | Placing /var/log in its own partition
enables better separation between log files
and other files in /var/. |
|
|
|
OVAL test results details/var/log on own partition
oval:ssg-testvar_log_partition:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_mountvar_log_own_partition:obj:1 of type
partition_object
Ensure /var/log/audit Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log_audit lowCCE-90847-5
Ensure /var/log/audit Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-partition_for_var_log_audit:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | low |
| Identifiers: | CCE-90847-5 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8 | | cobit5 | APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01 | | hipaa | 164.312(a)(2)(ii) | | isa-62443-2009 | 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1 | | nerc-cip | CIP-007-3 R6.5 | | nist | CM-6(a), AU-4, SC-5(2) | | nist-csf | PR.DS-4, PR.PT-1, PR.PT-4 | | ospp | FMT_SMF_EXT.1 | | os-srg | SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227 | | app-srg-ctr | SRG-APP-000357-CTR-000800 | | anssi | R71 | | cis | 1.1.2.7.1 | | stigid | RHEL-09-231030 | | stigref | SV-257847r1044924_rule |
|
| Description | Audit logs are stored in the /var/log/audit directory.
Ensure that /var/log/audit has its own partition or logical
volume at installation time, or migrate it using LVM.
Make absolutely certain that it is large enough to store all
audit logs that will be created by the auditing daemon. |
| Rationale | Placing /var/log/audit in its own partition
enables better separation between audit files
and other files, and helps ensure that
auditing cannot be halted due to the partition running out
of space. |
|
|
|
OVAL test results details/var/log/audit on own partition
oval:ssg-testvar_log_audit_partition:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_mountvar_log_audit_own_partition:obj:1 of type
partition_object
| Mount point |
|---|
| /var/log/audit |
Ensure /var/tmp Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_tmp mediumCCE-83487-9
Ensure /var/tmp Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_tmp |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-partition_for_var_tmp:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | medium |
| Identifiers: | CCE-83487-9 |
| References: | |
| Description | The /var/tmp directory is a world-writable directory used
for temporary file storage. Ensure it has its own partition or
logical volume at installation time, or migrate it using LVM. |
| Rationale | The /var/tmp partition is used as temporary storage by many programs.
Placing /var/tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. |
|
|
|
OVAL test results details/var/tmp on own partition
oval:ssg-testvar_tmp_partition:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_mountvar_tmp_own_partition:obj:1 of type
partition_object
Disable the GNOME3 Login Restart and Shutdown Buttonsxccdf_org.ssgproject.content_rule_dconf_gnome_disable_restart_shutdown highCCE-86315-9
Disable the GNOME3 Login Restart and Shutdown Buttons
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_restart_shutdown |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dconf_gnome_disable_restart_shutdown:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | high |
| Identifiers: | CCE-86315-9 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | cui | 3.1.2 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-6(a), AC-6(1), CM-7(b) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-271095, RHEL-09-271100 | | stigref | SV-258029r1045109_rule, SV-258030r1045112_rule |
|
| Description | In the default graphical environment, users logging directly into the
system are greeted with a login screen that allows any user, known or
unknown, the ability the ability to shutdown or restart the system. This
functionality should be disabled by setting
disable-restart-buttons to true.
To disable, add or edit disable-restart-buttons to
/etc/dconf/db/distro.d/00-security-settings. For example:
[org/gnome/login-screen]
disable-restart-buttons=true
Once the setting has been added, add a lock to
/etc/dconf/db/distro.d/locks/00-security-settings-lock to prevent
user modification. For example:
/org/gnome/login-screen/disable-restart-buttons
After the settings have been set, run dconf update. |
| Rationale | A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons
are pressed at the login screen, this can create the risk of short-term loss of availability of systems
due to reboot. |
|
|
OVAL test results detailspackage dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
dconf user profile exists
oval:ssg-test_dconf_user_profile:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/dconf/profile/user | user-db:user
system-db:local |
GUI restart and shutdown buttons are disabled
oval:ssg-test_disable_restart_buttons:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_disable_restart_buttons:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/dconf/db/distro.d/ | ^.*$ | ^\[org/gnome/login-screen\]([^\n]*\n+)+?disable-restart-buttons=true$ | 1 |
GUI restart and shutdown buttons cannot be enabled
oval:ssg-test_prevent_user_enable_restart_buttons:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_prevent_user_enable_restart_buttons:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/dconf/db/distro.d/locks/ | ^.*$ | ^/org/gnome/login-screen/disable-restart-buttons$ | 1 |
Disable the GNOME3 Login User Listxccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list mediumCCE-88285-2
Disable the GNOME3 Login User List
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dconf_gnome_disable_user_list:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | medium |
| Identifiers: | CCE-88285-2 |
| References: | |
| Description | In the default graphical environment, users logging directly into the
system are greeted with a login screen that displays all known users.
This functionality should be disabled by setting disable-user-list
to true.
To disable, add or edit disable-user-list to
/etc/dconf/db/distro.d/00-security-settings. For example:
[org/gnome/login-screen]
disable-user-list=true
Once the setting has been added, add a lock to
/etc/dconf/db/distro.d/locks/00-security-settings-lock to prevent
user modification. For example:
/org/gnome/login-screen/disable-user-list
After the settings have been set, run dconf update. |
| Rationale | Leaving the user list enabled is a security risk since it allows anyone
with physical access to the system to quickly enumerate known user accounts
without logging in. |
|
|
OVAL test results detailspackage dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
dconf user profile exists
oval:ssg-test_dconf_user_profile:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/dconf/profile/user | user-db:user
system-db:local |
GUI user list is disabled
oval:ssg-test_disable_user_list:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_disable_user_list:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/dconf/db/distro.d/ | ^.*$ | ^\[org/gnome/login-screen\]([^\n]*\n+)+?disable-user-list=true$ | 1 |
GUI user list cannot be enabled
oval:ssg-test_prevent_user_disable_user_list:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_prevent_user_disable_user_list:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/dconf/db/distro.d/locks/ | ^.*$ | ^/org/gnome/login-screen/disable-user-list$ | 1 |
Enable the GNOME3 Screen Locking On Smartcard Removalxccdf_org.ssgproject.content_rule_dconf_gnome_lock_screen_on_smartcard_removal mediumCCE-86452-0
Enable the GNOME3 Screen Locking On Smartcard Removal
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_lock_screen_on_smartcard_removal |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dconf_gnome_lock_screen_on_smartcard_removal:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | medium |
| Identifiers: | CCE-86452-0 |
| References: | | os-srg | SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011 | | stigid | RHEL-09-271045, RHEL-09-271050 | | stigref | SV-258019r1045092_rule, SV-258020r1045094_rule |
|
| Description | In the default graphical environment, screen locking on smartcard removal
can be enabled by setting removal-action
to 'lock-screen'.
To enable, add or edit removal-action to
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/settings-daemon/peripherals/smartcard]
removal-action='lock-screen'
Once the setting has been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/settings-daemon/peripherals/smartcard/removal-action
After the settings have been set, run dconf update. |
| Rationale | Locking the screen automatically when removing the smartcard can
prevent undesired access to system. |
|
|
OVAL test results detailstests the value of removal-action setting in the /etc/dconf/db/local.d/ file
oval:ssg-test_dconf_gnome_lock_screen_on_smartcard_removal:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_dconf_gnome_lock_screen_on_smartcard_removal:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/dconf/db/local.d/ | ^.*$ | ^\s*\[org/gnome/settings-daemon/peripherals/smartcard\].*(?:\n\s*[^[\s].*)*\n^\s*removal-action[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
Prevent user from modifying removal-action
oval:ssg-test_prevent_user_removal-action:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_prevent_user_removal-action:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/dconf/db/local.d/locks | ^.*$ | ^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$ | 1 |
Disable GDM Automatic Loginxccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login highCCE-89663-9
Disable GDM Automatic Login
| Rule ID | xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-gnome_gdm_disable_automatic_login:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | high |
| Identifiers: | CCE-89663-9 |
| References: | | cis-csc | 11, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05 | | cui | 3.1.1 | | isa-62443-2009 | 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4 | | nist | CM-6(a), AC-6(1), CM-7(b) | | nist-csf | PR.IP-1 | | os-srg | SRG-OS-000480-GPOS-00229 | | pcidss4 | 8.3.1, 8.3 | | stigid | RHEL-09-271040 | | stigref | SV-258018r1045090_rule |
|
| Description | The GNOME Display Manager (GDM) can allow users to automatically login without
user interaction or credentials. User should always be required to authenticate themselves
to the system that they are authorized to use. To disable user ability to automatically
login to the system, set the AutomaticLoginEnable to false in the
[daemon] section in /etc/gdm/custom.conf. For example:
[daemon]
AutomaticLoginEnable=false
|
| Rationale | Failure to restrict system access to authenticated users negatively impacts operating
system security. |
|
|
OVAL test results detailspackage gdm is installed
oval:ssg-test_package_gdm_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | gdm | x86_64 | 1 | 30.el9_6 | 40.1 | 1:40.1-30.el9_6 | 199e2f91fd431d51 | gdm-1:40.1-30.el9_6.x86_64 |
Disable GDM Automatic Login
oval:ssg-test_disable_automatic_login:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_disable_automatic_login:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/gdm/custom.conf | ^\[daemon]([^\n]*\n+)+?AutomaticLoginEnable=[Ff]alse$ | 1 |
Disable GNOME3 Automount Openingxccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open mediumCCE-90128-0
Disable GNOME3 Automount Opening
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dconf_gnome_disable_automount_open:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | medium |
| Identifiers: | CCE-90128-0 |
| References: | | cis-csc | 12, 16 | | cobit5 | APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03 | | cui | 3.1.7 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.2, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.13, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1, SR 2.6 | | iso27001-2013 | A.11.2.6, A.13.1.1, A.13.2.1, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1 | | nist | CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.AC-3, PR.AC-6 | | os-srg | SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227 | | ccn | A.11.SEC-RHEL12 | | cis | 1.8.6, 1.8.7 | | pcidss4 | 3.4.2, 3.4 | | stigid | RHEL-09-271020, RHEL-09-271025 | | stigref | SV-258014r1045084_rule, SV-258015r1045086_rule |
|
| Description | The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount-open within GNOME3, add or set
automount-open to false in /etc/dconf/db/local.d/00-security-settings.
For example:
[org/gnome/desktop/media-handling]
automount-open=false
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/automount-open
After the settings have been set, run dconf update. |
| Rationale | Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
Disabling automatic mounting in GNOME3 can prevent
the introduction of malware via removable media.
It will, however, also prevent desktop users from legitimate use
of removable media. |
|
|
OVAL test results detailspackage dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
dconf user profile exists
oval:ssg-test_dconf_user_profile:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/dconf/profile/user | user-db:user
system-db:local |
Disable automount-open in GNOME
oval:ssg-test_dconf_gnome_disable_automount_open:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_dconf_gnome_disable_automount_open:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/dconf/db/local.d/ | ^.*$ | ^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?automount-open=false$ | 1 |
Prevent user from changing automount-open setting
oval:ssg-test_prevent_user_gnome_automount_open:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_prevent_user_gnome_automount_open:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/dconf/db/local.d/locks/ | ^.*$ | ^/org/gnome/desktop/media-handling/automount-open$ | 1 |
Disable GNOME3 Automount runningxccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun lowCCE-90257-7
Disable GNOME3 Automount running
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dconf_gnome_disable_autorun:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | low |
| Identifiers: | CCE-90257-7 |
| References: | | cis-csc | 12, 16 | | cobit5 | APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03 | | cui | 3.1.7 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.2, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.13, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1, SR 2.6 | | iso27001-2013 | A.11.2.6, A.13.1.1, A.13.2.1, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1 | | nist | CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.AC-3, PR.AC-6 | | os-srg | SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227 | | ccn | A.11.SEC-RHEL12 | | cis | 1.8.8, 1.8.9 | | stigid | RHEL-09-271030, RHEL-09-271035 | | stigref | SV-258016r958804_rule, SV-258017r1045088_rule |
|
| Description | The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable autorun-never within GNOME3, add or set
autorun-never to true in /etc/dconf/db/local.d/00-security-settings.
For example:
[org/gnome/desktop/media-handling]
autorun-never=true
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/autorun-never
After the settings have been set, run dconf update. |
| Rationale | Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
Disabling automatic mount running in GNOME3 can prevent
the introduction of malware via removable media.
It will, however, also prevent desktop users from legitimate use
of removable media. |
|
|
OVAL test results detailspackage dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
dconf user profile exists
oval:ssg-test_dconf_user_profile:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/dconf/profile/user | user-db:user
system-db:local |
Disable autorun in GNOME
oval:ssg-test_dconf_gnome_disable_autorun:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_dconf_gnome_disable_autorun:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/dconf/db/local.d/ | ^.*$ | ^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?autorun-never=true$ | 1 |
Prevent user from changing autorun setting
oval:ssg-test_prevent_user_gnome_autorun:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_prevent_user_gnome_autorun:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/dconf/db/local.d/locks/ | ^.*$ | ^/org/gnome/desktop/media-handling/autorun-never$ | 1 |
Set GNOME3 Screensaver Inactivity Timeoutxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay mediumCCE-86510-5
Set GNOME3 Screensaver Inactivity Timeout
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dconf_gnome_screensaver_idle_delay:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | medium |
| Identifiers: | CCE-86510-5 |
| References: | | cis-csc | 1, 12, 15, 16 | | cjis | 5.5.5 | | cobit5 | DSS05.04, DSS05.10, DSS06.10 | | cui | 3.1.10 | | isa-62443-2009 | 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9 | | iso27001-2013 | A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | AC-11(a), CM-6(a) | | nist-csf | PR.AC-7 | | pcidss | Req-8.1.8 | | os-srg | SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012 | | ccn | A.11.SEC-RHEL7 | | cis | 1.8.4 | | pcidss4 | 8.2.8, 8.2 | | stigid | RHEL-09-271065 | | stigref | SV-258023r958402_rule |
|
| Description | The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay
setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory
and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.
For example, to configure the system for a 15 minute delay, add the following to
/etc/dconf/db/local.d/00-security-settings:
[org/gnome/desktop/session]
idle-delay=uint32 900
|
| Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from
the immediate physical vicinity of the information system but does not logout because of the
temporary nature of the absence. Rather than relying on the user to manually lock their operating
system session prior to vacating the vicinity, GNOME3 can be configured to identify when
a user's session has idled and take action to initiate a session lock. |
|
|
OVAL test results detailspackage dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
dconf user profile exists
oval:ssg-test_dconf_user_profile:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/dconf/profile/user | user-db:user
system-db:local |
screensaver idle delay is configured
oval:ssg-test_screensaver_idle_delay:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_screensaver_idle_delay:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/dconf/db/local.d/ | ^.*$ | ^\[org/gnome/desktop/session\]([^\n]*\n+)+?idle-delay=uint32[\s][0-9]*$ | 1 |
screensaver idle delay setting is correct
oval:ssg-test_screensaver_idle_delay_setting:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_screensaver_idle_delay_setting:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/dconf/db/local.d/ | ^.*$ | ^idle-delay[\s=]*uint32[\s]([^=\s]*) | 1 |
Set GNOME3 Screensaver Lock Delay After Activation Periodxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay mediumCCE-86954-5
Set GNOME3 Screensaver Lock Delay After Activation Period
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dconf_gnome_screensaver_lock_delay:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | medium |
| Identifiers: | CCE-86954-5 |
| References: | | cis-csc | 1, 12, 15, 16 | | cobit5 | DSS05.04, DSS05.10, DSS06.10 | | cui | 3.1.10 | | isa-62443-2009 | 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9 | | iso27001-2013 | A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | AC-11(a), CM-6(a) | | nist-csf | PR.AC-7 | | pcidss | Req-8.1.8 | | os-srg | SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012 | | ccn | A.11.SEC-RHEL7 | | cis | 1.8.4 | | pcidss4 | 8.2.8, 8.2 | | stigid | RHEL-09-271075 | | stigref | SV-258025r958402_rule |
|
| Description | To activate the locking delay of the screensaver in the GNOME3 desktop when
the screensaver is activated, add or set lock-delay to uint32 0
in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
lock-delay=uint32 0
After the settings have been set, run dconf update. |
| Rationale | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
of the information system but does not want to logout because of the temporary nature of the absense. |
|
|
OVAL test results detailspackage dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
dconf user profile exists
oval:ssg-test_dconf_user_profile:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/dconf/profile/user | user-db:user
system-db:local |
screensaver lock is set correctly
oval:ssg-test_screensaver_lock_delay:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_screensaver_lock_delay:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/dconf/db/local.d/ | ^.*$ | ^\[org/gnome/desktop/screensaver\]([^\n]*\n+)+?lock-delay=uint32[\s][0-9]*$ | 1 |
screensaver lock delay setting is correct
oval:ssg-test_screensaver_lock_delay_setting:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_screensaver_lock_delay_setting:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/dconf/db/local.d/ | ^.*$ | ^lock-delay[\s=]*uint32[\s]([^=\s]*) | 1 |
Enable GNOME3 Screensaver Lock After Idle Periodxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled mediumCCE-89302-4
Enable GNOME3 Screensaver Lock After Idle Period
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dconf_gnome_screensaver_lock_enabled:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | medium |
| Identifiers: | CCE-89302-4 |
| References: | | cis-csc | 1, 12, 15, 16 | | cjis | 5.5.5 | | cobit5 | DSS05.04, DSS05.10, DSS06.10 | | cui | 3.1.10 | | isa-62443-2009 | 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9 | | iso27001-2013 | A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | CM-6(a) | | nist-csf | PR.AC-7 | | pcidss | Req-8.1.8 | | os-srg | SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011 | | pcidss4 | 8.2.8, 8.2 | | stigid | RHEL-09-271055, RHEL-09-271060 | | stigref | SV-258021r1015088_rule, SV-258022r1045097_rule |
|
| Description |
To activate locking of the screensaver in the GNOME3 desktop when it is activated,
add or set lock-enabled to true in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
lock-enabled=true
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-enabled
After the settings have been set, run dconf update. |
| Rationale | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
of the information system but does not want to logout because of the temporary nature of the absense. |
|
|
OVAL test results detailspackage dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
dconf user profile exists
oval:ssg-test_dconf_user_profile:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/dconf/profile/user | user-db:user
system-db:local |
screensaver lock is enabled
oval:ssg-test_screensaver_lock_enabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_screensaver_lock_enabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/dconf/db/local.d/ | ^.*$ | ^\[org/gnome/desktop/screensaver\]([^\n]*\n+)+?lock-enabled=true$ | 1 |
screensaver lock cannot be changed by user
oval:ssg-test_prevent_user_screensaver_lock:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_prevent_user_screensaver_lock:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/dconf/db/local.d/locks/ | ^.*$ | ^/org/gnome/desktop/screensaver/lock-enabled$ | 1 |
Implement Blank Screensaverxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank mediumCCE-88733-1
Implement Blank Screensaver
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dconf_gnome_screensaver_mode_blank:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | medium |
| Identifiers: | CCE-88733-1 |
| References: | | cis-csc | 1, 12, 15, 16 | | cjis | 5.5.5 | | cobit5 | DSS05.04, DSS05.10, DSS06.10 | | cui | 3.1.10 | | isa-62443-2009 | 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9 | | iso27001-2013 | A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | AC-11(1), CM-6(a), AC-11(1).1 | | nist-csf | PR.AC-7 | | pcidss | Req-8.1.8 | | os-srg | SRG-OS-000031-GPOS-00012 | | pcidss4 | 8.2.8, 8.2 | | stigid | RHEL-09-271085 | | stigref | SV-258027r1045106_rule |
|
| Description |
To set the screensaver mode in the GNOME3 desktop to a blank screen,
add or set picture-uri to string '' in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
picture-uri=string ''
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/picture-uri
After the settings have been set, run dconf update. |
| Rationale | Setting the screensaver mode to blank-only conceals the
contents of the display from passersby. |
|
|
OVAL test results detailspackage dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
dconf user profile exists
oval:ssg-test_dconf_user_profile:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/dconf/profile/user | user-db:user
system-db:local |
screensaver mode is blank
oval:ssg-test_screensaver_mode_blank:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_screensaver_mode_blank:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/dconf/db/local.d/ | ^.*$ | ^\[org/gnome/desktop/screensaver\]([^\n]*\n+)+?picture-uri=string \'\'$ | 1 |
blank screensaver cannot be changed by user
oval:ssg-test_prevent_user_screensaver_mode_change:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_prevent_user_screensaver_mode_change:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/dconf/db/local.d/locks/ | ^.*$ | ^/org/gnome/desktop/screensaver/picture-uri$ | 1 |
Ensure Users Cannot Change GNOME3 Screensaver Settingsxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks mediumCCE-87491-7
Ensure Users Cannot Change GNOME3 Screensaver Settings
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dconf_gnome_screensaver_user_locks:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | medium |
| Identifiers: | CCE-87491-7 |
| References: | | cis-csc | 1, 12, 15, 16 | | cobit5 | DSS05.04, DSS05.10, DSS06.10 | | cui | 3.1.10 | | isa-62443-2009 | 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9 | | iso27001-2013 | A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | CM-6(a) | | nist-csf | PR.AC-7 | | os-srg | SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012 | | cis | 1.8.5 | | stigid | RHEL-09-271080 | | stigref | SV-258026r1045103_rule |
|
| Description | If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
by adding /org/gnome/desktop/screensaver/lock-delay
to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-delay
After the settings have been set, run dconf update. |
| Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,
GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the
session lock. As such, users should not be allowed to change session settings. |
|
|
OVAL test results detailspackage dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
dconf user profile exists
oval:ssg-test_dconf_user_profile:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/dconf/profile/user | user-db:user
system-db:local |
screensaver lock delay cannot be changed by user
oval:ssg-test_user_change_lock_delay_lock:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_user_change_lock_delay_lock:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/dconf/db/local.d/locks/ | ^.*$ | ^/org/gnome/desktop/screensaver/lock-delay$ | 1 |
Ensure Users Cannot Change GNOME3 Session Idle Settingsxccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks mediumCCE-85971-0
Ensure Users Cannot Change GNOME3 Session Idle Settings
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dconf_gnome_session_idle_user_locks:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | medium |
| Identifiers: | CCE-85971-0 |
| References: | | cis-csc | 1, 12, 15, 16 | | cobit5 | DSS05.04, DSS05.10, DSS06.10 | | cui | 3.1.10 | | isa-62443-2009 | 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9 | | iso27001-2013 | A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | CM-6(a) | | nist-csf | PR.AC-7 | | pcidss | Req-8.1.8 | | os-srg | SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012 | | cis | 1.8.5 | | pcidss4 | 8.2.8, 8.2 | | stigid | RHEL-09-271070 | | stigref | SV-258024r1045100_rule |
|
| Description | If not already configured, ensure that users cannot change GNOME3 session idle settings
by adding /org/gnome/desktop/session/idle-delay
to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update. |
| Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,
GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the
session lock. As such, users should not be allowed to change session settings. |
|
|
OVAL test results detailspackage dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
dconf user profile exists
oval:ssg-test_dconf_user_profile:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/dconf/profile/user | user-db:user
system-db:local |
user cannot change screensaver idle delay
oval:ssg-test_user_change_idle_delay_lock:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_user_change_idle_delay_lock:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/dconf/db/local.d/locks/ | ^.*$ | ^/org/gnome/desktop/session/idle-delay$ | 1 |
Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot highCCE-88653-1
Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dconf_gnome_disable_ctrlaltdel_reboot:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | high |
| Identifiers: | CCE-88653-1 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | cui | 3.1.2 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-6(a), AC-6(1), CM-7(b) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-271105, RHEL-09-271110 | | stigref | SV-258031r1045114_rule, SV-258032r1045117_rule |
|
| Description | By default, GNOME will reboot the system if the
Ctrl-Alt-Del key sequence is pressed.
To configure the system to ignore the Ctrl-Alt-Del key sequence
from the Graphical User Interface (GUI) instead of rebooting the system,
add or set logout to [''] in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/settings-daemon/plugins/media-keys]
logout=['']
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent
user modification. For example:
/org/gnome/settings-daemon/plugins/media-keys/logout
After the settings have been set, run dconf update. |
| Rationale | A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot. |
|
|
OVAL test results detailspackage dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
dconf user profile exists
oval:ssg-test_dconf_user_profile:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/dconf/profile/user | user-db:user
system-db:local |
Disable Ctrl-Alt-Del
oval:ssg-test_disable_gnome_ctrlaltdel:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_disable_gnome_ctrlaltdel:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/dconf/db/local.d/ | ^.*$ | ^\[org/gnome/settings-daemon/plugins/media-keys\]([^\n]*\n+)+?logout[\s]*=[\s]*\[''\]$ | 1 |
Prevent enabling of ctrl-alt-del keys
oval:ssg-test_prevent_user_enable_ctrlaltdel:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_prevent_user_enable_ctrlaltdel:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/dconf/db/local.d/locks/ | ^.*$ | ^/org/gnome/settings-daemon/plugins/media-keys/logout$ | 1 |
Make sure that the dconf databases are up-to-date with regards to respective keyfilesxccdf_org.ssgproject.content_rule_dconf_db_up_to_date highCCE-87295-2
Make sure that the dconf databases are up-to-date with regards to respective keyfiles
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dconf_db_up_to_date:def:1 |
| Time | 2025-09-21T20:22:52-05:00 |
| Severity | high |
| Identifiers: | CCE-87295-2 |
| References: | |
| Description | By default, DConf uses a binary database as a data backend.
The system-level database is compiled from keyfiles in the /etc/dconf/db/
directory by the dconf update command. More specifically, content present
in the following directories:
/etc/dconf/db/distro.d
/etc/dconf/db/local.d
|
| Rationale | Unlike text-based keyfiles, the binary database is impossible to check by OVAL.
Therefore, in order to evaluate dconf configuration, both have to be true at the same time -
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. |
OVAL test results detailspackage dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
Check if the distro dconf DB is up-to-date with keyfiles in the distro tree.
oval:ssg-test_dconf_distro_up_to_date:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-var_dconf_distro_db_modified_time:var:1 | 86613 |
no keyfiles applicable to the distro database
oval:ssg-test_dconf_distro_no_keyfiles:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|
| not evaluated | /etc/dconf/db/distro.d/locks/20-authselect | symbolic link | 0 | 0 | 27 | rwxrwxrwx |
| not evaluated | /etc/dconf/db/distro.d/20-authselect | symbolic link | 0 | 0 | 24 | rwxrwxrwx |
Check if the local dconf DB is up-to-date with keyfiles in the local tree.
oval:ssg-test_dconf_local_up_to_date:tst:1
error
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| error | oval:ssg-var_dconf_local_db_modified_time:var:1 | 86613 |
no keyfiles applicable to the local database
oval:ssg-test_dconf_local_no_keyfiles:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_dconf_local_config:obj:1 of type
file_object
| Filepath |
|---|
| ^/etc/dconf/db/local.d/.* |
Install sudo Packagexccdf_org.ssgproject.content_rule_package_sudo_installed mediumCCE-83523-1
Install sudo Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_sudo_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_sudo_installed:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-83523-1 |
| References: | |
| Description | The sudo package can be installed with the following command:
$ sudo dnf install sudo
|
| Rationale | sudo is a program designed to allow a system administrator to give
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done.
|
OVAL test results detailspackage sudo is installed
oval:ssg-test_package_sudo_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | sudo | x86_64 | (none) | 10.el9_6.2 | 1.9.5p2 | 0:1.9.5p2-10.el9_6.2 | 199e2f91fd431d51 | sudo-0:1.9.5p2-10.el9_6.2.x86_64 |
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticatexccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate mediumCCE-83544-7
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
| Rule ID | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sudo_remove_no_authenticate:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-83544-7 |
| References: | | cis-csc | 1, 12, 15, 16, 5 | | cobit5 | DSS05.04, DSS05.10, DSS06.03, DSS06.10 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9 | | iso27001-2013 | A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | IA-11, CM-6(a) | | nist-csf | PR.AC-1, PR.AC-7 | | os-srg | SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | | stigid | RHEL-09-432025 | | stigref | SV-258086r1050789_rule |
|
| Description | The sudo !authenticate option, when specified, allows a user to execute commands using
sudo without having to authenticate. This should be disabled by making sure that the
!authenticate option does not exist in /etc/sudoers configuration file or
any sudo configuration snippets in /etc/sudoers.d/. |
| Rationale | Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. |
OVAL test results details!authenticate does not exist in /etc/sudoers
oval:ssg-test_no_authenticate_etc_sudoers:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_authenticate_etc_sudoers:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/sudoers | ^(?!#).*[\s]+\!authenticate.*$ | 1 |
!authenticate does not exist in /etc/sudoers.d
oval:ssg-test_no_authenticate_etc_sudoers_d:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_authenticate_etc_sudoers_d:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/sudoers.d | ^.*$ | ^(?!#).*[\s]+\!authenticate.*$ | 1 |
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWDxccdf_org.ssgproject.content_rule_sudo_remove_nopasswd mediumCCE-83536-3
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
| Rule ID | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sudo_remove_nopasswd:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-83536-3 |
| References: | | cis-csc | 1, 12, 15, 16, 5 | | cobit5 | DSS05.04, DSS05.10, DSS06.03, DSS06.10 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9 | | iso27001-2013 | A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | IA-11, CM-6(a) | | nist-csf | PR.AC-1, PR.AC-7 | | os-srg | SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | | stigid | RHEL-09-611085 | | stigref | SV-258106r1050789_rule |
|
| Description | The sudo NOPASSWD tag, when specified, allows a user to execute
commands using sudo without having to authenticate. This should be disabled
by making sure that the NOPASSWD tag does not exist in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. |
| Rationale | Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. |
OVAL test results detailsNOPASSWD does not exist /etc/sudoers
oval:ssg-test_nopasswd_etc_sudoers:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_nopasswd_etc_sudoers:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/sudoers | ^(?!#).*[\s]+NOPASSWD[\s]*\:.*$ | 1 |
NOPASSWD does not exist in /etc/sudoers.d
oval:ssg-test_nopasswd_etc_sudoers_d:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_nopasswd_etc_sudoers_d:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/sudoers.d | ^.*$ | ^(?!#).*[\s]+NOPASSWD[\s]*\:.*$ | 1 |
Require Re-Authentication When Using the sudo Commandxccdf_org.ssgproject.content_rule_sudo_require_reauthentication mediumCCE-90029-0
Require Re-Authentication When Using the sudo Command
| Rule ID | xccdf_org.ssgproject.content_rule_sudo_require_reauthentication |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sudo_require_reauthentication:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-90029-0 |
| References: | | nist | IA-11 | | os-srg | SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | | ccn | A.5.SEC-RHEL2 | | cis | 5.2.5, 5.2.6 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-432015 | | stigref | SV-258084r1050789_rule |
|
| Description | The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits.
The default timestamp_timeout value is 5 minutes.
The timestamp_timeout should be configured by making sure that the
timestamp_timeout tag exists in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/.
If the value is set to an integer less than 0, the user's time stamp will not expire
and the user will not have to re-authenticate for privileged actions until the user's session is terminated. |
| Rationale | Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. |
|
|
OVAL test results detailscheck correct configuration in /etc/sudoers
oval:ssg-test_sudo_timestamp_timeout:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sudo_timestamp_timeout:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\/etc\/(sudoers|sudoers\.d\/.*)$ | ^[\s]*Defaults[\s]+timestamp_timeout[\s]*=\s*[+]?(\d*\.\d+|\d+\.\d*|\d+)$ | 1 |
check correct configuration in /etc/sudoers
oval:ssg-test_sudo_timestamp_timeout_no_signs:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sudo_timestamp_timeout_no_signs:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\/etc\/(sudoers|sudoers\.d\/.*)$ | ^[\s]*Defaults[\s]+timestamp_timeout[\s]*=\s*[\-](\d*\.\d+|\d+\.\d*|\d+)$ | 1 |
The operating system must restrict privilege elevation to authorized personnelxccdf_org.ssgproject.content_rule_sudo_restrict_privilege_elevation_to_authorized mediumCCE-83525-6
The operating system must restrict privilege elevation to authorized personnel
| Rule ID | xccdf_org.ssgproject.content_rule_sudo_restrict_privilege_elevation_to_authorized |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sudo_restrict_privilege_elevation_to_authorized:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-83525-6 |
| References: | |
| Description | The sudo command allows a user to execute programs with elevated
(administrator) privileges. It prompts the user for their password
and confirms your request to execute a command by checking a file,
called sudoers.
Restrict privileged actions by removing the following entries from the sudoers file:
ALL ALL=(ALL) ALL
ALL ALL=(ALL:ALL) ALL
|
| Rationale | If the "sudoers" file is not configured correctly, any user defined
on the system can initiate privileged actions on the target system. |
| Warnings | warning
This rule doesn't come with a remediation, as the exact requirement allows exceptions,
and removing lines from the sudoers file can make the system non-administrable. |
OVAL test results detailsMake sure that sudoers has restrictions on which users can run sudo
oval:ssg-test_not_all_users_can_sudo_to_users:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_sudoers_cfg_spec_all_users:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/sudoers(\.d/.*)?$ | ^\s*ALL\s+ALL\=\(ALL\)\s+ALL\s*$ | 1 |
Make sure that sudoers has restrictions on which users can run sudo
oval:ssg-test_not_all_users_can_sudo_to_group:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_sudoers_cfg_spec_all_group:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/sudoers(\.d/.*)?$ | ^\s*ALL\s+ALL\=\(ALL\:ALL\)\s+ALL\s* | 1 |
Ensure invoking users password for privilege escalation when using sudoxccdf_org.ssgproject.content_rule_sudoers_validate_passwd mediumCCE-83529-8
Ensure invoking users password for privilege escalation when using sudo
| Rule ID | xccdf_org.ssgproject.content_rule_sudoers_validate_passwd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sudoers_validate_passwd:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-83529-8 |
| References: | |
| Description | The sudoers security policy requires that users authenticate themselves before they can use sudo.
When sudoers requires authentication, it validates the invoking user's credentials.
The expected output for:
sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)$'
Defaults !targetpw
Defaults !rootpw
Defaults !runaspw
or if cvtsudoers not supported:
sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \;
/etc/sudoers:Defaults !targetpw
/etc/sudoers:Defaults !rootpw
/etc/sudoers:Defaults !runaspw
|
| Rationale | If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt
the invoking user for the "root" user password. |
|
|
OVAL test results detailsEnsure invoking user's password for privilege escalation when using sudo
oval:ssg-test_sudoers_targetpw_config:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_test_sudoers_targetpw_config:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/sudoers(\.d/.*)?$ | ^Defaults !targetpw$\r?\n | 1 |
Ensure invoking user's password for privilege escalation when using sudo
oval:ssg-test_sudoers_rootpw_config:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_test_sudoers_rootpw_config:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/sudoers(\.d/.*)?$ | ^Defaults !rootpw$\r?\n | 1 |
Ensure invoking user's password for privilege escalation when using sudo
oval:ssg-test_sudoers_runaspw_config:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_test_sudoers_runaspw_config:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/sudoers(\.d/.*)?$ | ^Defaults !runaspw$\r?\n | 1 |
Ensure invoking user's password for privilege escalation when using sudo
oval:ssg-test_sudoers_targetpw_not_defined:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_test_sudoers_targetpw_not_defined:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/sudoers(\.d/.*)?$ | ^Defaults targetpw$\r?\n | 1 |
Ensure invoking user's password for privilege escalation when using sudo
oval:ssg-test_sudoers_rootpw_not_defined:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_test_sudoers_rootpw_not_defined:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/sudoers(\.d/.*)?$ | ^Defaults rootpw$\r?\n | 1 |
Ensure invoking user's password for privilege escalation when using sudo
oval:ssg-test_sudoers_runaspw_not_defined:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_test_sudoers_runaspw_not_defined:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/sudoers(\.d/.*)?$ | ^Defaults runaspw$\r?\n | 1 |
Ensure gnutls-utils is installedxccdf_org.ssgproject.content_rule_package_gnutls-utils_installed mediumCCE-83494-5
Ensure gnutls-utils is installed
| Rule ID | xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_gnutls-utils_installed:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-83494-5 |
| References: | | ospp | FIA_X509_EXT.1, FIA_X509_EXT.1.1, FIA_X509_EXT.2 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-215080 | | stigref | SV-257839r991589_rule |
|
| Description | The gnutls-utils package can be installed with the following command:
$ sudo dnf install gnutls-utils
|
| Rationale | GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
protocols and technologies around them. It provides a simple C language
application programming interface (API) to access the secure communications
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
other required structures.
This package contains command line TLS client and server and certificate
manipulation tools. |
|
|
|
|
|
|
|
OVAL test results detailspackage gnutls-utils is installed
oval:ssg-test_package_gnutls-utils_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_gnutls-utils_installed:obj:1 of type
rpminfo_object
Ensure nss-tools is installedxccdf_org.ssgproject.content_rule_package_nss-tools_installed mediumCCE-89706-6
Ensure nss-tools is installed
| Rule ID | xccdf_org.ssgproject.content_rule_package_nss-tools_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_nss-tools_installed:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-89706-6 |
| References: | |
| Description | The nss-tools package can be installed with the following command:
$ sudo dnf install nss-tools
|
| Rationale | Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled client and
server applications. Install the nss-tools package
to install command-line tools to manipulate the NSS certificate
and key database. |
OVAL test results detailspackage nss-tools is installed
oval:ssg-test_package_nss-tools_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | nss-tools | x86_64 | (none) | 4.el9_4 | 3.112.0 | 0:3.112.0-4.el9_4 | 199e2f91fd431d51 | nss-tools-0:3.112.0-4.el9_4.x86_64 |
Install rng-tools Packagexccdf_org.ssgproject.content_rule_package_rng-tools_installed lowCCE-83504-1
Install rng-tools Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_rng-tools_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_rng-tools_installed:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | low |
| Identifiers: | CCE-83504-1 |
| References: | |
| Description | The rng-tools package can be installed with the following command:
$ sudo dnf install rng-tools
|
| Rationale | rng-tools provides hardware random number generator tools,
such as those used in the formation of x509/PKI certificates.
|
|
|
|
|
|
|
|
OVAL test results detailspackage rng-tools is installed
oval:ssg-test_package_rng-tools_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_rng-tools_installed:obj:1 of type
rpminfo_object
Install subscription-manager Packagexccdf_org.ssgproject.content_rule_package_subscription-manager_installed mediumCCE-83506-6
Install subscription-manager Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_subscription-manager_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_subscription-manager_installed:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-83506-6 |
| References: | | ism | 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495 | | ospp | FPT_TUD_EXT.1, FPT_TUD_EXT.2 | | os-srg | SRG-OS-000366-GPOS-00153 | | stigid | RHEL-09-215010 | | stigref | SV-257825r1044888_rule |
|
| Description | The subscription-manager package can be installed with the following command:
$ sudo dnf install subscription-manager
|
| Rationale | Red Hat Subscription Manager is a local service which tracks installed products
and subscriptions on a local system to help manage subscription assignments.
It communicates with the backend subscription service (the Customer Portal
or an on-premise server such as Subscription Asset Manager) and works with
content management tools such as .
The package provides, among other things, plugins
to interact with repositories and subscriptions
from the Red Hat entitlement platform - the subscription-manager and
product-id plugins. |
OVAL test results detailspackage subscription-manager is installed
oval:ssg-test_package_subscription-manager_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | subscription-manager | x86_64 | (none) | 1.el9_6 | 1.29.45.1 | 0:1.29.45.1-1.el9_6 | 199e2f91fd431d51 | subscription-manager-0:1.29.45.1-1.el9_6.x86_64 |
Uninstall gssproxy Packagexccdf_org.ssgproject.content_rule_package_gssproxy_removed mediumCCE-83516-5
Uninstall gssproxy Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_gssproxy_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_gssproxy_removed:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-83516-5 |
| References: | | os-srg | SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-215045 | | stigref | SV-257832r1044900_rule |
|
| Description | The gssproxy package can be removed with the following command:
$ sudo dnf remove gssproxy
|
| Rationale | gssproxy is a proxy for GSS API credential handling.
Kerberos relies on some key derivation functions that may not
be compatible with some site policies such as FIPS 140.
|
OVAL test results detailspackage gssproxy is removed
oval:ssg-test_package_gssproxy_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_gssproxy_removed:obj:1 of type
rpminfo_object
Uninstall iprutils Packagexccdf_org.ssgproject.content_rule_package_iprutils_removed mediumCCE-83519-9
Uninstall iprutils Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_iprutils_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_iprutils_removed:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-83519-9 |
| References: | | os-srg | SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-215050 | | stigref | SV-257833r1044902_rule |
|
| Description | The iprutils package can be removed with the following command:
$ sudo dnf remove iprutils
|
| Rationale | iprutils provides a suite of utlilities to manage and configure SCSI devices
supported by the ipr SCSI storage device driver.
|
|
|
|
|
|
|
OVAL test results detailspackage iprutils is removed
oval:ssg-test_package_iprutils_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | iprutils | x86_64 | (none) | 5.el9 | 2.4.19 | 0:2.4.19-5.el9 | 199e2f91fd431d51 | iprutils-0:2.4.19-5.el9.x86_64 |
Uninstall tuned Packagexccdf_org.ssgproject.content_rule_package_tuned_removed mediumCCE-83521-5
Uninstall tuned Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_tuned_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_tuned_removed:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-83521-5 |
| References: | | os-srg | SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-215055 | | stigref | SV-257834r1044904_rule |
|
| Description | The tuned package can be removed with the following command:
$ sudo dnf remove tuned
|
| Rationale | tuned contains a daemon that tunes the system settings dynamically.
It does so by monitoring the usage of several system components periodically. Based
on that information, components will then be put into lower or higher power savings
modes to adapt to the current usage.
|
|
|
|
|
|
|
OVAL test results detailspackage tuned is removed
oval:ssg-test_package_tuned_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | tuned | noarch | (none) | 2.el9_6 | 2.25.1 | 0:2.25.1-2.el9_6 | 199e2f91fd431d51 | tuned-0:2.25.1-2.el9_6.noarch |
Ensure dnf Removes Previous Package Versionsxccdf_org.ssgproject.content_rule_clean_components_post_updating lowCCE-83458-0
Ensure dnf Removes Previous Package Versions
| Rule ID | xccdf_org.ssgproject.content_rule_clean_components_post_updating |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-clean_components_post_updating:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | low |
| Identifiers: | CCE-83458-0 |
| References: | | cis-csc | 18, 20, 4 | | cobit5 | APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02 | | cui | 3.4.8 | | isa-62443-2009 | 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9 | | iso27001-2013 | A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3 | | nist | SI-2(6), CM-11(a), CM-11(b), CM-6(a) | | nist-csf | ID.RA-1, PR.IP-12 | | os-srg | SRG-OS-000437-GPOS-00194 | | stigid | RHEL-09-214035 | | stigref | SV-257824r1044886_rule |
|
| Description | dnf should be configured to remove previous software components after
new versions have been installed. To configure dnf to remove the
previous software components after updating, set the clean_requirements_on_remove
to 1 in /etc/dnf/dnf.conf.
|
| Rationale | Previous versions of software components that are not removed from the information
system after updates have been installed may be exploited by some adversaries. |
OVAL test results detailscheck value of clean_requirements_on_remove in /etc/dnf/dnf.conf
oval:ssg-test_yum_clean_components_post_updating:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/dnf/dnf.conf | clean_requirements_on_remove=True |
Ensure gpgcheck Enabled In Main dnf Configurationxccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated highCCE-83457-2
Ensure gpgcheck Enabled In Main dnf Configuration
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-ensure_gpgcheck_globally_activated:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | high |
| Identifiers: | CCE-83457-2 |
| References: | | cis-csc | 11, 2, 3, 9 | | cjis | 5.10.4.1 | | cobit5 | APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02 | | cui | 3.4.8 | | hipaa | 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i) | | isa-62443-2009 | 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4 | | isa-62443-2013 | SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6 | | iso27001-2013 | A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4 | | nist | CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b) | | nist-csf | PR.DS-6, PR.DS-8, PR.IP-1 | | ospp | FPT_TUD_EXT.1, FPT_TUD_EXT.2 | | pcidss | Req-6.2 | | os-srg | SRG-OS-000366-GPOS-00153 | | anssi | R59 | | cis | 1.2.1.2 | | pcidss4 | 6.3.3, 6.3 | | stigid | RHEL-09-214015 | | stigref | SV-257820r1044878_rule |
|
| Description | The gpgcheck option controls whether
RPM packages' signatures are always checked prior to installation.
To configure dnf to check package signatures before installing
them, ensure the following line appears in /etc/dnf/dnf.conf in
the [main] section:
gpgcheck=1
|
| Rationale | Changes to any software components can have significant effects on the
overall security of the operating system. This requirement ensures the
software has not been tampered with and that it has been provided by a
trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system
components must be signed with a certificate recognized and approved by the
organization.
Verifying the authenticity of the software prior to installation
validates the integrity of the patch or upgrade received from a vendor.
This ensures the software has not been tampered with and that it has been
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). |
OVAL test results detailscheck value of gpgcheck in /etc/dnf/dnf.conf
oval:ssg-test_ensure_gpgcheck_globally_activated:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/dnf/dnf.conf | gpgcheck=1 |
Ensure gpgcheck Enabled for Local Packagesxccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages highCCE-83463-0
Ensure gpgcheck Enabled for Local Packages
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-ensure_gpgcheck_local_packages:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | high |
| Identifiers: | CCE-83463-0 |
| References: | | cis-csc | 11, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05 | | cui | 3.4.8 | | hipaa | 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i) | | isa-62443-2009 | 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4 | | nist | CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10) | | nist-csf | PR.IP-1 | | ospp | FPT_TUD_EXT.1, FPT_TUD_EXT.2 | | os-srg | SRG-OS-000366-GPOS-00153 | | anssi | R59 | | stigid | RHEL-09-214020 | | stigref | SV-257821r1015077_rule |
|
| Description | dnf should be configured to verify the signature(s) of local packages
prior to installation. To configure dnf to verify signatures of local
packages, set the localpkg_gpgcheck to 1 in /etc/dnf/dnf.conf.
|
| Rationale | Changes to any software components can have significant effects to the overall security
of the operating system. This requirement ensures the software has not been tampered and
has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must
be signed with a certificate recognized and approved by the organization. |
|
|
OVAL test results detailscheck value of localpkg_gpgcheck in /etc/dnf/dnf.conf
oval:ssg-test_yum_ensure_gpgcheck_local_packages:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_yum_ensure_gpgcheck_local_packages:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/dnf/dnf.conf | ^\s*localpkg_gpgcheck\s*=\s*(1|True|yes)\s*$ | 1 |
Ensure gpgcheck Enabled for All dnf Package Repositoriesxccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled highCCE-83464-8
Ensure gpgcheck Enabled for All dnf Package Repositories
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-ensure_gpgcheck_never_disabled:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | high |
| Identifiers: | CCE-83464-8 |
| References: | | cis-csc | 11, 2, 3, 9 | | cjis | 5.10.4.1 | | cobit5 | APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02 | | cui | 3.4.8 | | hipaa | 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i) | | isa-62443-2009 | 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4 | | isa-62443-2013 | SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6 | | iso27001-2013 | A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4 | | nist | CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b) | | nist-csf | PR.DS-6, PR.DS-8, PR.IP-1 | | ospp | FPT_TUD_EXT.1, FPT_TUD_EXT.2 | | pcidss | Req-6.2 | | os-srg | SRG-OS-000366-GPOS-00153 | | anssi | R59 | | pcidss4 | 6.3.3, 6.3 | | stigid | RHEL-09-214025 | | stigref | SV-257822r1044880_rule |
|
| Description | To ensure signature checking is not disabled for
any repos, remove any lines from files in /etc/yum.repos.d of the form:
gpgcheck=0
|
| Rationale | Verifying the authenticity of the software prior to installation validates
the integrity of the patch or upgrade received from a vendor. This ensures
the software has not been tampered with and that it has been provided by a
trusted vendor. Self-signed certificates are disallowed by this
requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA)." |
OVAL test results detailscheck for existence of gpgcheck=0 in /etc/yum.repos.d/ files
oval:ssg-test_ensure_gpgcheck_never_disabled:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_ensure_gpgcheck_never_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/yum.repos.d | .* | ^\s*gpgcheck\s*=\s*0\s*$ | 1 |
Ensure Red Hat GPG Key Installedxccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed highCCE-84180-9
Ensure Red Hat GPG Key Installed
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-ensure_redhat_gpgkey_installed:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | high |
| Identifiers: | CCE-84180-9 |
| References: | | cis-csc | 11, 2, 3, 9 | | cjis | 5.10.4.1 | | cobit5 | APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02 | | cui | 3.4.8 | | hipaa | 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i) | | isa-62443-2009 | 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4 | | isa-62443-2013 | SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6 | | iso27001-2013 | A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4 | | nerc-cip | CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1 | | nist | CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a) | | nist-csf | PR.DS-6, PR.DS-8, PR.IP-1 | | ospp | FPT_TUD_EXT.1, FPT_TUD_EXT.2 | | pcidss | Req-6.2 | | os-srg | SRG-OS-000366-GPOS-00153 | | anssi | R59 | | pcidss4 | 6.3.3, 6.3 | | stigid | RHEL-09-214010 | | stigref | SV-257819r1015075_rule |
|
| Description | To ensure the system can cryptographically verify base software packages
come from Red Hat (and to connect to the Red Hat Network to receive them),
the Red Hat GPG key must properly be installed. To install the Red Hat GPG
key, run:
$ sudo subscription-manager register
If the system is not connected to the Internet or an RHN Satellite, then
install the Red Hat GPG key from trusted media such as the Red Hat
installation CD-ROM or DVD. Assuming the disc is mounted in
/media/cdrom, use the following command as the root user to import
it into the keyring:
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY
Alternatively, the key may be pre-loaded during the RHEL installation. In
such cases, the key can be installed by running the following command:
sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
|
| Rationale | Changes to software components can have significant effects on the overall
security of the operating system. This requirement ensures the software has
not been tampered with and that it has been provided by a trusted vendor.
The Red Hat GPG key is necessary to cryptographically verify packages are
from Red Hat. |
OVAL test results detailsinstalled OS part of unix family
oval:ssg-test_rhel9_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
installed OS part of unix family
oval:ssg-test_rhel9_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
redhat-release is version 9
oval:ssg-test_rhel9:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| true | redhat-release | x86_64 | (none) | 0.1.el9 | 9.6 | 0:9.6-0.1.el9 | 199e2f91fd431d51 | redhat-release-0:9.6-0.1.el9.x86_64 |
redhat-release is version 9
oval:ssg-test_rhel9:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| true | redhat-release | x86_64 | (none) | 0.1.el9 | 9.6 | 0:9.6-0.1.el9 | 199e2f91fd431d51 | redhat-release-0:9.6-0.1.el9.x86_64 |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
oraclelinux-release is version 9
oval:ssg-test_ol9_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol9_system:obj:1 of type
rpminfo_object
oraclelinux-release is version 9
oval:ssg-test_ol9_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol9_system:obj:1 of type
rpminfo_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
oraclelinux-release is version 9
oval:ssg-test_ol9_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol9_system:obj:1 of type
rpminfo_object
oraclelinux-release is version 9
oval:ssg-test_ol9_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol9_system:obj:1 of type
rpminfo_object
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 9
oval:ssg-test_rhevh_rhel9_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel9_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 9
oval:ssg-test_rhevh_rhel9_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel9_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family
oval:ssg-test_rhel9_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
installed OS part of unix family
oval:ssg-test_rhel9_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
redhat-release is version 9
oval:ssg-test_rhel9:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| true | redhat-release | x86_64 | (none) | 0.1.el9 | 9.6 | 0:9.6-0.1.el9 | 199e2f91fd431d51 | redhat-release-0:9.6-0.1.el9.x86_64 |
redhat-release is version 9
oval:ssg-test_rhel9:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| true | redhat-release | x86_64 | (none) | 0.1.el9 | 9.6 | 0:9.6-0.1.el9 | 199e2f91fd431d51 | redhat-release-0:9.6-0.1.el9.x86_64 |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
oraclelinux-release is version 9
oval:ssg-test_ol9_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol9_system:obj:1 of type
rpminfo_object
oraclelinux-release is version 9
oval:ssg-test_ol9_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol9_system:obj:1 of type
rpminfo_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
oraclelinux-release is version 9
oval:ssg-test_ol9_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol9_system:obj:1 of type
rpminfo_object
oraclelinux-release is version 9
oval:ssg-test_ol9_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol9_system:obj:1 of type
rpminfo_object
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 9
oval:ssg-test_rhevh_rhel9_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel9_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 9
oval:ssg-test_rhevh_rhel9_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel9_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
Red Hat release key package is installed
oval:ssg-test_redhat_package_gpgkey-fd431d51-4ae0493b_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| false | gpg-pubkey | (none) | (none) | 6229229e | 5a6340b3 | 0:5a6340b3-6229229e | 0 | gpg-pubkey-0:5a6340b3-6229229e.(none) |
| true | gpg-pubkey | (none) | (none) | 4ae0493b | fd431d51 | 0:fd431d51-4ae0493b | 0 | gpg-pubkey-0:fd431d51-4ae0493b.(none) |
Red Hat auxiliary key package is installed
oval:ssg-test_redhat_package_gpgkey-5a6340b3-6229229e_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| true | gpg-pubkey | (none) | (none) | 6229229e | 5a6340b3 | 0:5a6340b3-6229229e | 0 | gpg-pubkey-0:5a6340b3-6229229e.(none) |
| false | gpg-pubkey | (none) | (none) | 4ae0493b | fd431d51 | 0:fd431d51-4ae0493b | 0 | gpg-pubkey-0:fd431d51-4ae0493b.(none) |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Family |
|---|
| true | unix |
Check os-release ID
oval:ssg-test_centos9_name:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/os-release | ID="rhel" |
Check os-release VERSION_ID
oval:ssg-test_centos9_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_version_centos9:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/os-release | ^VERSION_ID="(\d)"$ | 1 |
CentOS9 key package is installed
oval:ssg-test_redhat_package_gpgkey-8483c65d-5ccc5b19_installed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| false | gpg-pubkey | (none) | (none) | 6229229e | 5a6340b3 | 0:5a6340b3-6229229e | 0 | gpg-pubkey-0:5a6340b3-6229229e.(none) |
| false | gpg-pubkey | (none) | (none) | 4ae0493b | fd431d51 | 0:fd431d51-4ae0493b | 0 | gpg-pubkey-0:fd431d51-4ae0493b.(none) |
Ensure Software Patches Installedxccdf_org.ssgproject.content_rule_security_patches_up_to_date mediumCCE-84185-8
Ensure Software Patches Installed
| Rule ID | xccdf_org.ssgproject.content_rule_security_patches_up_to_date |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-84185-8 |
| References: | | cis-csc | 18, 20, 4 | | cjis | 5.10.4.1 | | cobit5 | APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02 | | isa-62443-2009 | 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9 | | iso27001-2013 | A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3 | | nist | SI-2(5), SI-2(c), CM-6(a) | | nist-csf | ID.RA-1, PR.IP-12 | | ospp | FMT_MOF_EXT.1 | | pcidss | Req-6.2 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R61 | | pcidss4 | 6.3.3, 6.3 | | stigid | RHEL-09-211015 | | stigref | SV-257778r991589_rule |
|
| Description |
If the system is joined to the Red Hat Network, a Red Hat Satellite Server,
or a yum server, run the following command to install updates:
$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages)
can be manually downloaded from the Red Hat Network and installed using rpm.
NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy
dictates. |
| Rationale | Installing software updates is a fundamental mitigation against
the exploitation of publicly-known vulnerabilities. If the most
recent security patches and updates are not installed, unauthorized
users may take advantage of weaknesses in the unpatched software. The
lack of prompt attention to patching could result in a system compromise. |
| Warnings | warning
Red Hat Enterprise Linux 9 does not have a corresponding OVAL CVE Feed. Therefore, this will result in a "not checked" result during a scan. |
Evaluation messagesinfo
No candidate or applicable check found. |
Enable GNOME3 Login Warning Bannerxccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled mediumCCE-87599-7
Enable GNOME3 Login Warning Banner
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dconf_gnome_banner_enabled:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-87599-7 |
| References: | | cis-csc | 1, 12, 15, 16 | | cobit5 | DSS05.04, DSS05.10, DSS06.10 | | cui | 3.1.9 | | isa-62443-2009 | 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9 | | iso27001-2013 | A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | AC-8(a), AC-8(b), AC-8(c) | | nist-csf | PR.AC-7 | | os-srg | SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088 | | ccn | A.11.SEC-RHEL4 | | cis | 1.8.2 | | stigid | RHEL-09-271010, RHEL-09-271015 | | stigref | SV-258012r1014855_rule, SV-258013r1045082_rule |
|
| Description | In the default graphical environment, displaying a login warning banner
in the GNOME Display Manager's login screen can be enabled on the login
screen by setting banner-message-enable to true.
To enable, add or edit banner-message-enable to
/etc/dconf/db/distro.d/00-security-settings. For example:
[org/gnome/login-screen]
banner-message-enable=true
Once the setting has been added, add a lock to
/etc/dconf/db/distro.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/banner-message-enable
After the settings have been set, run dconf update.
The banner text must also be set. |
| Rationale | Display of a standardized and approved use notification before granting access to the operating system
ensures privacy and security notification verbiage used is consistent with applicable federal laws,
Executive Orders, directives, policies, regulations, standards, and guidance.
For U.S. Government systems, system use notifications are required only for access via login interfaces
with human users and are not required when such human interfaces do not exist. |
|
|
OVAL test results detailspackage dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
dconf user profile exists
oval:ssg-test_dconf_user_profile:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/dconf/profile/user | user-db:user
system-db:local |
GUI banner is enabled
oval:ssg-test_banner_gui_enabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_banner_gui_enabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/dconf/db/distro.d/ | ^.*$ | ^\[org/gnome/login-screen\]([^\n]*\n+)+?banner-message-enable=true$ | 1 |
GUI banner cannot be changed by user
oval:ssg-test_prevent_user_banner_gui_enabled_change:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_prevent_user_banner_gui_enabled_change:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/dconf/db/distro.d/locks/ | ^.*$ | ^/org/gnome/login-screen/banner-message-enable$ | 1 |
Set the GNOME3 Login Warning Banner Textxccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text mediumCCE-86529-5
Set the GNOME3 Login Warning Banner Text
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dconf_gnome_login_banner_text:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-86529-5 |
| References: | | cis-csc | 1, 12, 15, 16 | | cobit5 | DSS05.04, DSS05.10, DSS06.10 | | cui | 3.1.9 | | isa-62443-2009 | 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9 | | iso27001-2013 | A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | AC-8(a), AC-8(c) | | nist-csf | PR.AC-7 | | os-srg | SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088 | | ccn | A.11.SEC-RHEL4 | | cis | 1.8.2 | | stigid | RHEL-09-171011 | | stigref | SV-270174r1044831_rule |
|
| Description | In the default graphical environment, configuring the login warning banner text
in the GNOME Display Manager's login screen can be configured on the login
screen by setting banner-message-text to 'APPROVED_BANNER'
where APPROVED_BANNER is the approved banner for your environment.
To enable, add or edit banner-message-text to
/etc/dconf/db/distro.d/00-security-settings. For example:
[org/gnome/login-screen]
banner-message-text='APPROVED_BANNER'
Once the setting has been added, add a lock to
/etc/dconf/db/distro.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/banner-message-text
After the settings have been set, run dconf update.
When entering a warning banner that spans several lines, remember
to begin and end the string with ' and use \n for new lines. |
| Rationale | An appropriate warning message reinforces policy awareness during the logon
process and facilitates possible legal action against attackers. |
|
|
OVAL test results detailspackage dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
package dconf is installed
oval:ssg-test_package_dconf_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | dconf | x86_64 | (none) | 6.el9 | 0.40.0 | 0:0.40.0-6.el9 | 199e2f91fd431d51 | dconf-0:0.40.0-6.el9.x86_64 |
dconf user profile exists
oval:ssg-test_dconf_user_profile:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/dconf/profile/user | user-db:user
system-db:local |
GUI banner cannot be changed by user
oval:ssg-test_prevent_user_banner_change:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_prevent_user_banner_change:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/dconf/db/distro.d/locks/ | ^.*$ | ^/org/gnome/login-screen/banner-message-text$ | 1 |
login banner text is correctly set
oval:ssg-test_gdm_login_banner_text_setting:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_gdm_login_banner_text_setting:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/dconf/db/distro.d/ | ^.*$ | ^banner-message-text=[\s]*'*(.*?)'$ | 1 |
Modify the System Login Bannerxccdf_org.ssgproject.content_rule_banner_etc_issue mediumCCE-83557-9
Modify the System Login Banner
| Rule ID | xccdf_org.ssgproject.content_rule_banner_etc_issue |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-banner_etc_issue:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-83557-9 |
| References: | | cis-csc | 1, 12, 15, 16 | | cobit5 | DSS05.04, DSS05.10, DSS06.10 | | cui | 3.1.9 | | isa-62443-2009 | 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9 | | iso27001-2013 | A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | AC-8(a), AC-8(c) | | nist-csf | PR.AC-7 | | os-srg | SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088 | | ccn | A.11.SEC-RHEL4 | | stigid | RHEL-09-211020 | | stigref | SV-257779r958390_rule |
|
| Description |
To configure the system login banner edit /etc/issue. Replace the
default text with a message compliant with the local site policy or a legal
disclaimer.
The DoD required text is either:
You are accessing a U.S. Government (USG) Information System (IS) that
is provided for USG-authorized use only. By using this IS (which includes
any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS
for purposes including, but not limited to, penetration testing, COMSEC
monitoring, network operations and defense, personnel misconduct (PM), law
enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private,
are subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access
controls) to protect USG interests -- not for your personal benefit or
privacy.
-Notwithstanding the above, using this IS does not constitute consent
to PM, LE or CI investigative searching or monitoring of the content of
privileged communications, or work product, related to personal
representation or services by attorneys, psychotherapists, or clergy, and
their assistants. Such communications and work product are private and
confidential. See User Agreement for details.
OR:
I've read & consent to terms in IS user agreem't.
|
| Rationale | Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via login interfaces
with human users and are not required when such human interfaces do not
exist. |
|
|
|
OVAL test results detailscorrect banner in /etc/issue
oval:ssg-test_banner_etc_issue:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/issue.d/cockpit.issue | Activate the web console with: systemctl enable --now cockpit.socket
|
| false | /etc/issue | \S
Kernel \r on an \m
|
Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File.xccdf_org.ssgproject.content_rule_account_password_pam_faillock_password_auth mediumCCE-86932-1
Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File.
| Rule ID | xccdf_org.ssgproject.content_rule_account_password_pam_faillock_password_auth |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-account_password_pam_faillock_password_auth:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-86932-1 |
| References: | |
| Description | The pam_faillock.so module must be loaded in preauth in /etc/pam.d/password-auth. |
| Rationale | If the pam_faillock.so module is not loaded the system will not correctly lockout accounts to prevent
password guessing attacks. |
|
|
OVAL test results detailsNo more than one pam_unix.so is expected in auth section of password-auth
oval:ssg-test_pam_faillock_password_auth_pam_unix_auth:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/pam.d/password-auth | auth sufficient pam_unix.so |
One and only one occurrence is expected in auth section of password-auth
oval:ssg-test_pam_faillock_password_auth_pam_faillock_auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_pam_faillock_password_auth_pam_faillock_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail | ^/etc/pam.d/password-auth$ | 1 |
One and only one occurrence is expected in auth section of password-auth
oval:ssg-test_pam_faillock_password_auth_pam_faillock_account:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_pam_faillock_password_auth_pam_faillock_account:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so | ^/etc/pam.d/password-auth$ | 1 |
Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File.xccdf_org.ssgproject.content_rule_account_password_pam_faillock_system_auth mediumCCE-86917-2
Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File.
| Rule ID | xccdf_org.ssgproject.content_rule_account_password_pam_faillock_system_auth |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-account_password_pam_faillock_system_auth:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-86917-2 |
| References: | |
| Description | The pam_faillock.so module must be loaded in preauth in /etc/pam.d/system-auth. |
| Rationale | If the pam_faillock.so module is not loaded the system will not correctly lockout accounts to prevent
password guessing attacks. |
|
|
OVAL test results detailsNo more than one pam_unix.so is expected in auth section of system-auth
oval:ssg-test_pam_faillock_system_auth_pam_unix_auth:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/pam.d/system-auth | auth sufficient pam_unix.so |
One and only one occurrence is expected in auth section of system-auth
oval:ssg-test_pam_faillock_system_auth_pam_faillock_auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_pam_faillock_system_auth_pam_faillock_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail | ^/etc/pam.d/system-auth$ | 1 |
One and only one occurrence is expected in auth section of system-auth
oval:ssg-test_pam_faillock_system_auth_pam_faillock_account:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_pam_faillock_system_auth_pam_faillock_account:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so | ^/etc/pam.d/system-auth$ | 1 |
An SELinux Context must be configured for the pam_faillock.so records directoryxccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir mediumCCE-86249-0
An SELinux Context must be configured for the pam_faillock.so records directory
| Rule ID | xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-account_password_selinux_faillock_dir:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-86249-0 |
| References: | |
| Description | The dir configuration option in PAM pam_faillock.so module defines where the lockout
records is stored. The configured directory must have the correct SELinux context. |
| Rationale | Not having the correct SELinux context on the pam_faillock.so records directory may lead to
unauthorized access to the directory. |
OVAL test results detailsfaillog_t context is set in pam_faillock.so tally directories
oval:ssg-test_account_password_selinux_faillock_dir:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_account_password_selinux_faillock_dir:obj:1 of type
selinuxsecuritycontext_object
| Path | Filename |
|---|
| Referenced variable has no values (oval:ssg-var_account_password_selinux_faillock_dir_collector:var | no value |
Check the existence of faillock tally dirs
oval:ssg-test_account_password_selinux_faillock_dir_not_set:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_account_password_selinux_faillock_dir_not_set:obj:1 of type
variable_object
| Var ref |
|---|
| oval:ssg-var_account_password_selinux_faillock_dir_collector:var:1 |
Account Lockouts Must Be Loggedxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit mediumCCE-86100-5
Account Lockouts Must Be Logged
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_passwords_pam_faillock_audit:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-86100-5 |
| References: | |
| Description | PAM faillock locks an account due to excessive password failures, this event must be logged. |
| Rationale | Without auditing of these events it may be harder or impossible to identify what an attacker did after an attack. |
|
|
OVAL test results detailsCheck the presence of audit parameter in system-auth
oval:ssg-test_pam_faillock_audit_parameter_system_auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_audit_parameter_system_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]preauth[^\n#]*audit | /etc/pam.d/system-auth | 1 |
Check the presence of audit parameter in password-auth
oval:ssg-test_pam_faillock_audit_parameter_password_auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_audit_parameter_password_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]preauth[^\n#]*audit | /etc/pam.d/password-auth | 1 |
Check the absence of audit parameter in /etc/security/faillock.conf
oval:ssg-test_pam_faillock_audit_parameter_no_faillock_conf:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_pam_faillock_audit_parameter_faillock_conf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/security/faillock.conf | ^\s*audit | 1 |
Check the absence of audit parameter in system-auth
oval:ssg-test_pam_faillock_audit_parameter_no_pamd_system:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_audit_parameter_system_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]preauth[^\n#]*audit | /etc/pam.d/system-auth | 1 |
Check the absence of audit parameter in password-auth
oval:ssg-test_pam_faillock_audit_parameter_no_pamd_password:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_audit_parameter_password_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]preauth[^\n#]*audit | /etc/pam.d/password-auth | 1 |
Check the expected audit value in in /etc/security/faillock.conf
oval:ssg-test_pam_faillock_audit_parameter_faillock_conf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_pam_faillock_audit_parameter_faillock_conf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/security/faillock.conf | ^\s*audit | 1 |
Lock Accounts After Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny mediumCCE-83587-6
Lock Accounts After Failed Password Attempts
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_passwords_pam_faillock_deny:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-83587-6 |
| References: | | cis-csc | 1, 12, 15, 16 | | cjis | 5.5.3 | | cobit5 | DSS05.04, DSS05.10, DSS06.10 | | cui | 3.1.8 | | isa-62443-2009 | 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9 | | ism | 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 | | iso27001-2013 | A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | CM-6(a), AC-7(a) | | nist-csf | PR.AC-7 | | ospp | FIA_AFL.1 | | pcidss | Req-8.1.6 | | os-srg | SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005 | | anssi | R31 | | ccn | A.30.SEC-RHEL1 | | cis | 5.3.3.1.1 | | pcidss4 | 8.3.4, 8.3 | | stigid | RHEL-09-411075 | | stigref | SV-258054r958736_rule |
|
| Description | This rule configures the system to lock out accounts after a number of incorrect login attempts
using pam_faillock.so.
pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
defined to work as expected.
Ensure that the file /etc/security/faillock.conf contains the following entry:
deny = <count>
Where count should be less than or equal to
3 and greater than 0.
In order to avoid errors when manually editing these files, it is
recommended to use the appropriate tools, such as authselect or authconfig,
depending on the OS version. |
| Rationale | By limiting the number of failed logon attempts, the risk of unauthorized system access via
user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
the account. |
| Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
If the system supports the /etc/security/faillock.conf file, the pam_faillock
parameters should be defined in faillock.conf file. |
|
|
OVAL test results detailsno more that one pam_unix.so is expected in auth section of system-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_unix_auth:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_system_pam_unix_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\s*auth\N+pam_unix\.so | /etc/pam.d/system-auth | 1 |
no more that one pam_unix.so is expected in auth section of password-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_unix_auth:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_password_pam_unix_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\s*auth\N+pam_unix\.so | /etc/pam.d/password-auth | 1 |
One and only one occurrence is expected in auth section of system-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail | /etc/pam.d/system-auth | 1 |
One and only one occurrence is expected in system-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_faillock_account:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_system_pam_faillock_account:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so | /etc/pam.d/system-auth | 1 |
One and only one occurrence is expected in auth section of password-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail | /etc/pam.d/password-auth | 1 |
One and only one occurrence is expected in password-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_faillock_account:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_password_pam_faillock_account:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so | /etc/pam.d/password-auth | 1 |
Check the expected deny value in system-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_pamd_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_system:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| 3 | | ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+) |
| /etc/pam.d/system-auth | 1 |
Check the expected deny value in password-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_pamd_password:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_password:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| 3 | | ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+) |
| /etc/pam.d/password-auth | 1 |
Check the absence of deny parameter in /etc/security/faillock.conf
oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_faillock_conf:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_faillock_conf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*deny[\s]*=[\s]*([0-9]+) | /etc/security/faillock.conf | 1 |
Check the absence of deny parameter in system-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_system:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_system:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+) | /etc/pam.d/system-auth | 1 |
Check the absence of deny parameter in password-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_password:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_password:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+) | /etc/pam.d/password-auth | 1 |
Check the expected deny value in /etc/security/faillock.conf
oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_faillock_conf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_faillock_conf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| 3 | | ^[\s]*deny[\s]*=[\s]*([0-9]+) |
| /etc/security/faillock.conf | 1 |
Configure the root Account for Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root mediumCCE-83589-2
Configure the root Account for Failed Password Attempts
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_passwords_pam_faillock_deny_root:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-83589-2 |
| References: | | cis-csc | 1, 12, 15, 16 | | cobit5 | DSS05.04, DSS05.10, DSS06.10 | | isa-62443-2009 | 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9 | | ism | 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 | | iso27001-2013 | A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | CM-6(a), AC-7(b), IA-5(c) | | nist-csf | PR.AC-7 | | os-srg | SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005 | | anssi | R31 | | cis | 5.3.3.1.3 | | stigid | RHEL-09-411080 | | stigref | SV-258055r1045140_rule |
|
| Description | This rule configures the system to lock out the root account after a number of
incorrect login attempts using pam_faillock.so.
pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
defined to work as expected. In order to avoid errors when manually editing these files, it is
recommended to use the appropriate tools, such as authselect or authconfig,
depending on the OS version. |
| Rationale | By limiting the number of failed logon attempts, the risk of unauthorized system access via
user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
the account. |
| Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
If the system supports the /etc/security/faillock.conf file, the pam_faillock
parameters should be defined in faillock.conf file. |
|
|
OVAL test results detailsNo more than one pam_unix.so is expected in auth section of system-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_root_system_pam_unix_auth:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_system_pam_unix_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*auth\N+pam_unix\.so | ^/etc/pam.d/system-auth$ | 1 |
No more than one pam_unix.so is expected in auth section of password-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_root_password_pam_unix_auth:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_password_pam_unix_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*auth\N+pam_unix\.so | ^/etc/pam.d/password-auth$ | 1 |
One and only one pattern occurrence is expected in auth section of system-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_root_system_pam_faillock_auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_system_pam_faillock_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail | ^/etc/pam.d/system-auth$ | 1 |
One and only one pattern occurrence is expected in account section of system-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_root_system_pam_faillock_account:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_system_pam_faillock_account:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so | ^/etc/pam.d/system-auth$ | 1 |
One and only one pattern occurrence is expected in auth section of system-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_root_password_pam_faillock_auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_password_pam_faillock_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail | ^/etc/pam.d/password-auth$ | 1 |
One and only one pattern occurrence is expected in account section of password-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_root_password_pam_faillock_account:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_password_pam_faillock_account:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so | ^/etc/pam.d/password-auth$ | 1 |
Check the expected even_deny_root parameter in system-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_pamd_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_pamd_system:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*even_deny_root | ^/etc/pam.d/system-auth$ | 1 |
Check the expected even_deny_root parameter in password-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_pamd_password:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_pamd_password:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*even_deny_root | ^/etc/pam.d/password-auth$ | 1 |
Check the absence of even_deny_root parameter in /etc/security/faillock.conf
oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_no_faillock_conf:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*even_deny_root | ^/etc/security/faillock.conf$ | 1 |
Check the absence of even_deny_root parameter in system-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_no_pamd_system:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_pamd_system:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*even_deny_root | ^/etc/pam.d/system-auth$ | 1 |
Check the absence of even_deny_root parameter in password-auth
oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_no_pamd_password:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_pamd_password:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*even_deny_root | ^/etc/pam.d/password-auth$ | 1 |
Check the expected even_deny_root parameter in /etc/security/faillock.conf
oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*even_deny_root | ^/etc/security/faillock.conf$ | 1 |
Lock Accounts Must Persistxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir mediumCCE-86068-4
Lock Accounts Must Persist
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_passwords_pam_faillock_dir:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-86068-4 |
| References: | | nist | AC-7(b), AC-7(a), AC-7.1(ii) | | os-srg | SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128 | | stigid | RHEL-09-411105 | | stigref | SV-258060r1045150_rule |
|
| Description | This rule ensures that the system lock out accounts using pam_faillock.so persist
after system reboot. From "pam_faillock" man pages:
Note that the default directory that "pam_faillock" uses is usually cleared on system
boot so the access will be reenabled after system reboot. If that is undesirable, a different
tally directory must be set with the "dir" option.
pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
defined to work as expected. In order to avoid errors when manually editing these files, it is
recommended to use the appropriate tools, such as authselect or authconfig,
depending on the OS version.
The chosen profile expects the directory to be /var/log/faillock.
To configure the tally directory, add the following line to /etc/security/faillock.conf:
dir = /var/log/faillock
|
| Rationale | Locking out user accounts after a number of incorrect attempts prevents direct password
guessing attacks. In combination with the silent option, user enumeration attacks
are also mitigated. |
| Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
If the system supports the /etc/security/faillock.conf file, the pam_faillock
parameters should be defined in faillock.conf file. |
|
|
OVAL test results detailsCheck that the expected dir value in system-auth is present both with preauth and authfail
oval:ssg-test_pam_faillock_dir_parameter_system_auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_pam_faillock_dir_parameter_system_auth:obj:1 of type
variable_object
| Var ref |
|---|
| oval:ssg-var_faillock_dir_set_both_preauth_authfail_system_auth:var:1 |
Check that the expected dir value in password-auth is present both with preauth and authfail
oval:ssg-test_pam_faillock_dir_parameter_password_auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_pam_faillock_dir_parameter_password_auth:obj:1 of type
variable_object
| Var ref |
|---|
| oval:ssg-var_faillock_dir_set_both_preauth_authfail_password_auth:var:1 |
Check the absence of dir parameter in /etc/security/faillock.conf
oval:ssg-test_pam_faillock_dir_parameter_no_faillock_conf:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_pam_faillock_dir_parameter_faillock_conf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| dir\s*=\s*(\S+|"[^"]+) | | ^[\s]*dir\s*=\s*(\S+|"[^"]+) |
| /etc/security/faillock.conf | 1 |
Check the absence of dir parameter in system-auth
oval:ssg-test_pam_faillock_dir_parameter_no_pamd_system:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_dir_parameter_system_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance | Filter |
|---|
| ^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]*dir\s*=\s*(\S+|"[^"]+) | | dir\s*=\s*(\S+|"[^"]+) |
| /etc/pam.d/system-auth | 1 | oval:ssg-state_pam_faillock_dir_parameter_not_default_value:ste:1 |
Check the absence of dir parameter in password-auth
oval:ssg-test_pam_faillock_dir_parameter_no_pamd_password:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_dir_parameter_password_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance | Filter |
|---|
| ^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]*dir\s*=\s*(\S+|"[^"]+) | | dir\s*=\s*(\S+|"[^"]+) |
| /etc/pam.d/password-auth | 1 | oval:ssg-state_pam_faillock_dir_parameter_not_default_value:ste:1 |
Check the expected dir value in in /etc/security/faillock.conf
oval:ssg-test_pam_faillock_dir_parameter_faillock_conf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_pam_faillock_dir_parameter_faillock_conf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| dir\s*=\s*(\S+|"[^"]+) | | ^[\s]*dir\s*=\s*(\S+|"[^"]+) |
| /etc/security/faillock.conf | 1 |
Set Interval For Counting Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval mediumCCE-83583-5
Set Interval For Counting Failed Password Attempts
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_passwords_pam_faillock_interval:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-83583-5 |
| References: | | cis-csc | 1, 12, 15, 16 | | cobit5 | DSS05.04, DSS05.10, DSS06.10 | | isa-62443-2009 | 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9 | | ism | 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 | | iso27001-2013 | A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | CM-6(a), AC-7(a) | | nist-csf | PR.AC-7 | | ospp | FIA_AFL.1 | | os-srg | SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005 | | anssi | R31 | | stigid | RHEL-09-411085 | | stigref | SV-258056r1045143_rule |
|
| Description | Utilizing pam_faillock.so, the fail_interval directive configures the system
to lock out an account after a number of incorrect login attempts within a specified time
period.
Ensure that the file /etc/security/faillock.conf contains the following entry:
fail_interval = <interval-in-seconds> where interval-in-seconds is 900 or greater.
In order to avoid errors when manually editing these files, it is
recommended to use the appropriate tools, such as authselect or authconfig,
depending on the OS version. |
| Rationale | By limiting the number of failed logon attempts the risk of unauthorized system
access via user password guessing, otherwise known as brute-forcing, is reduced.
Limits are imposed by locking the account. |
| Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
If the system supports the /etc/security/faillock.conf file, the pam_faillock
parameters should be defined in faillock.conf file. |
|
|
OVAL test results detailsno more that one pam_unix.so is expected in auth section of system-auth
oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_system_pam_unix_auth:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_fail_interval_system_pam_unix_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\s*auth\N+pam_unix\.so | /etc/pam.d/system-auth | 1 |
no more that one pam_unix.so is expected in auth section of password-auth
oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_password_pam_unix_auth:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_fail_interval_password_pam_unix_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\s*auth\N+pam_unix\.so | /etc/pam.d/password-auth | 1 |
One and only one occurrence is expected in auth section of system-auth
oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_system_pam_faillock_auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_fail_interval_system_pam_faillock_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail | /etc/pam.d/system-auth | 1 |
One and only one occurrence is expected in system-auth
oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_system_pam_faillock_account:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_fail_interval_system_pam_faillock_account:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so | /etc/pam.d/system-auth | 1 |
One and only one occurrence is expected in auth section of password-auth
oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_password_pam_faillock_auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_fail_interval_password_pam_faillock_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail | /etc/pam.d/password-auth | 1 |
One and only one occurrence is expected in password-auth
oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_password_pam_faillock_account:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_fail_interval_password_pam_faillock_account:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so | /etc/pam.d/password-auth | 1 |
Check the expected fail_interval value in system-auth
oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_parameter_pamd_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_fail_interval_parameter_pamd_system:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| 900 | | ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+) |
| /etc/pam.d/system-auth | 1 |
Check the expected fail_interval value in password-auth
oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_parameter_pamd_password:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_fail_interval_parameter_pamd_password:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| 900 | | ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+) |
| /etc/pam.d/password-auth | 1 |
Check the absence of fail_interval parameter in /etc/security/faillock.conf
oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_parameter_no_faillock_conf:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_fail_interval_parameter_faillock_conf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*fail_interval[\s]*=[\s]*([0-9]+) | /etc/security/faillock.conf | 1 |
Check the absence of fail_interval parameter in system-auth
oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_parameter_no_pamd_system:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_fail_interval_parameter_pamd_system:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+) | /etc/pam.d/system-auth | 1 |
Check the absence of fail_interval parameter in password-auth
oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_parameter_no_pamd_password:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_fail_interval_parameter_pamd_password:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+) | /etc/pam.d/password-auth | 1 |
Check the expected fail_interval value in /etc/security/faillock.conf
oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_parameter_faillock_conf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_fail_interval_parameter_faillock_conf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| 900 | | ^[\s]*fail_interval[\s]*=[\s]*([0-9]+) |
| /etc/security/faillock.conf | 1 |
Set Lockout Time for Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time mediumCCE-83588-4
Set Lockout Time for Failed Password Attempts
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-83588-4 |
| References: | | cis-csc | 1, 12, 15, 16 | | cjis | 5.5.3 | | cobit5 | DSS05.04, DSS05.10, DSS06.10 | | cui | 3.1.8 | | isa-62443-2009 | 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9 | | ism | 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 | | iso27001-2013 | A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | CM-6(a), AC-7(b) | | nist-csf | PR.AC-7 | | ospp | FIA_AFL.1 | | pcidss | Req-8.1.7 | | os-srg | SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005 | | anssi | R31 | | ccn | A.30.SEC-RHEL1 | | cis | 5.3.3.1.2 | | pcidss4 | 8.3.4, 8.3 | | stigid | RHEL-09-411090 | | stigref | SV-258057r1045146_rule |
|
| Description | This rule configures the system to lock out accounts during a specified time period after a
number of incorrect login attempts using pam_faillock.so.
Ensure that the file /etc/security/faillock.conf contains the following entry:
unlock_time=<interval-in-seconds> where
interval-in-seconds is 0 or greater.
pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
defined to work as expected. In order to avoid any errors when manually editing these files,
it is recommended to use the appropriate tools, such as authselect or authconfig,
depending on the OS version.
If unlock_time is set to 0, manual intervention by an administrator is required
to unlock a user. This should be done using the faillock tool. |
| Rationale | By limiting the number of failed logon attempts the risk of unauthorized system
access via user password guessing, otherwise known as brute-forcing, is reduced.
Limits are imposed by locking the account. |
| Warnings | warning
If the system supports the new /etc/security/faillock.conf file but the
pam_faillock.so parameters are defined directly in /etc/pam.d/system-auth and
/etc/pam.d/password-auth, the remediation will migrate the unlock_time parameter
to /etc/security/faillock.conf to ensure compatibility with authselect tool.
The parameters deny and fail_interval, if used, also have to be migrated
by their respective remediation. warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
If the system supports the /etc/security/faillock.conf file, the pam_faillock
parameters should be defined in faillock.conf file. |
|
|
OVAL test results detailsno more that one pam_unix.so is expected in auth section of system-auth
oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\s*auth\N+pam_unix\.so | /etc/pam.d/system-auth | 1 |
no more that one pam_unix.so is expected in auth section of password-auth
oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\s*auth\N+pam_unix\.so | /etc/pam.d/password-auth | 1 |
One and only one occurrence is expected in auth section of system-auth
oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail | /etc/pam.d/system-auth | 1 |
One and only one occurrence is expected in system-auth
oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so | /etc/pam.d/system-auth | 1 |
One and only one occurrence is expected in auth section of password-auth
oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail | /etc/pam.d/password-auth | 1 |
One and only one occurrence is expected in password-auth
oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so | /etc/pam.d/password-auth | 1 |
Check the expected unlock_time value in system-auth
oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| 0 | | ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+) |
| /etc/pam.d/system-auth | 1 |
Check the expected unlock_time value in password-auth
oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| 0 | | ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+) |
| /etc/pam.d/password-auth | 1 |
Check the absence of unlock_time parameter in /etc/security/faillock.conf
oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_faillock_conf:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*unlock_time[\s]*=[\s]*([0-9]+) | /etc/security/faillock.conf | 1 |
Check the absence of unlock_time parameter in system-auth
oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_system:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+) | /etc/pam.d/system-auth | 1 |
Check the absence of unlock_time parameter in password-auth
oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_password:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+) | /etc/pam.d/password-auth | 1 |
Check the expected unlock_time value in /etc/security/faillock.conf
oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| 0 | | ^[\s]*unlock_time[\s]*=[\s]*([0-9]+) |
| /etc/security/faillock.conf | 1 |
Ensure PAM Enforces Password Requirements - Minimum Digit Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit mediumCCE-83566-0
Ensure PAM Enforces Password Requirements - Minimum Digit Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_dcredit:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-83566-0 |
| References: | | cis-csc | 1, 12, 15, 16, 5 | | cobit5 | DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1 | | ism | 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 | | iso27001-2013 | A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4) | | nist-csf | PR.AC-1, PR.AC-6, PR.AC-7 | | ospp | FMT_SMF_EXT.1 | | pcidss | Req-8.2.3 | | os-srg | SRG-OS-000071-GPOS-00039 | | anssi | R31 | | pcidss4 | 8.3.6, 8.3 | | stigid | RHEL-09-611070 | | stigref | SV-258103r1045210_rule |
|
| Description | The pam_pwquality module's dcredit parameter controls requirements for
usage of digits in a password. When set to a negative number, any password will be required to
contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each digit. Modify the dcredit setting in
/etc/security/pwquality.conf to require the use of a digit in passwords. |
| Rationale | Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes
to crack a password. The more complex the password, the greater the number of
possible combinations that need to be tested before the password is compromised.
Requiring digits makes password guessing attacks more difficult by ensuring a larger
search space. |
|
|
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/pam.d/system-auth |
password requisite pam_pwquality.so local_users_only |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_dcredit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_dcredit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/security/pwquality\.conf(\.d/[^/]+\.conf)?$ | ^\s*dcredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) | 1 |
Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Wordsxccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck mediumCCE-88413-0
Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_dictcheck:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-88413-0 |
| References: | | nist | IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4) | | os-srg | SRG-OS-000480-GPOS-00225, SRG-OS-000072-GPOS-00040 | | cis | 5.3.3.2.6 | | stigid | RHEL-09-611105 | | stigref | SV-258110r1045223_rule |
|
| Description | The pam_pwquality module's dictcheck check if passwords contains dictionary words. When
dictcheck is set to 1 passwords will be checked for dictionary words. |
| Rationale | Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at
guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more
complex the password, the greater the number of possible combinations that need to be tested before the
password is compromised.
Passwords with dictionary words may be more vulnerable to password-guessing attacks. |
|
|
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/pam.d/system-auth |
password requisite pam_pwquality.so local_users_only |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_dictcheck:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_dictcheck:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/security/pwquality\.conf(\.d/[^/]+\.conf)?$ | ^\s*dictcheck[\s]*=[\s]*(-?\d+)(?:[\s]|$) | 1 |
Ensure PAM Enforces Password Requirements - Minimum Different Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_difok mediumCCE-83564-5
Ensure PAM Enforces Password Requirements - Minimum Different Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_difok |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_difok:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-83564-5 |
| References: | | cis-csc | 1, 12, 15, 16, 5 | | cjis | 5.6.2.1.1 | | cobit5 | DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1 | | iso27001-2013 | A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | IA-5(c), IA-5(1)(b), CM-6(a), IA-5(4) | | nist-csf | PR.AC-1, PR.AC-6, PR.AC-7 | | os-srg | SRG-OS-000072-GPOS-00040 | | cis | 5.3.3.2.1 | | stigid | RHEL-09-611115 | | stigref | SV-258112r1045229_rule |
|
| Description | The pam_pwquality module's difok parameter sets the number of characters
in a password that must not be present in and old password during a password change.
Modify the difok setting in /etc/security/pwquality.conf
to equal 8 to require differing characters
when changing passwords. |
| Rationale | Use of a complex password helps to increase the time and resources
required to compromise the password. Password complexity, or strength,
is a measure of the effectiveness of a password in resisting attempts
at guessing and brute–force attacks.
Password complexity is one factor of several that determines how long
it takes to crack a password. The more complex the password, the
greater the number of possible combinations that need to be tested
before the password is compromised.
Requiring a minimum number of different characters during password changes ensures that
newly changed passwords should not resemble previously compromised ones.
Note that passwords which are changed on compromised systems will still be compromised, however. |
|
|
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/pam.d/system-auth |
password requisite pam_pwquality.so local_users_only |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_difok:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_difok:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/security/pwquality\.conf(\.d/[^/]+\.conf)?$ | ^\s*difok[\s]*=[\s]*(-?\d+)(?:[\s]|$) | 1 |
Ensure PAM Enforces Password Requirements - Enforce for root Userxccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root mediumCCE-86356-3
Ensure PAM Enforces Password Requirements - Enforce for root User
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_enforce_root:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-86356-3 |
| References: | | nist | IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4) | | os-srg | SRG-OS-000072-GPOS-00040, SRG-OS-000071-GPOS-00039, SRG-OS-000070-GPOS-00038, SRG-OS-000266-GPOS-00101, SRG-OS-000078-GPOS-00046, SRG-OS-000480-GPOS-00225, SRG-OS-000069-GPOS-00037 | | cis | 5.3.3.2.7 | | stigid | RHEL-09-611060 | | stigref | SV-258101r1045204_rule |
|
| Description | The pam_pwquality module's enforce_for_root parameter controls requirements for
enforcing password complexity for the root user. Enable the enforce_for_root
setting in /etc/security/pwquality.conf to require the root user
to use complex passwords. |
| Rationale | Use of a complex password helps to increase the time and resources required to compromise
the password. Password complexity, or strength, is a measure of the effectiveness of a
password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a
password. The more complex the password, the greater the number of possible combinations
that need to be tested before the password is compromised. |
|
|
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/pam.d/system-auth |
password requisite pam_pwquality.so local_users_only |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_enforce_for_root:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_enforce_for_root:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/security/pwquality\.conf(\.d/[^/]+\.conf)?$ | ^enforce_for_root$ | 1 |
Ensure PAM Enforces Password Requirements - Minimum Lowercase Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit mediumCCE-83570-2
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_lcredit:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-83570-2 |
| References: | | cis-csc | 1, 12, 15, 16, 5 | | cobit5 | DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1 | | ism | 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 | | iso27001-2013 | A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4) | | nist-csf | PR.AC-1, PR.AC-6, PR.AC-7 | | ospp | FMT_SMF_EXT.1 | | pcidss | Req-8.2.3 | | os-srg | SRG-OS-000070-GPOS-00038 | | anssi | R31 | | pcidss4 | 8.3.6, 8.3 | | stigid | RHEL-09-611065 | | stigref | SV-258102r1045207_rule |
|
| Description | The pam_pwquality module's lcredit parameter controls requirements for
usage of lowercase letters in a password. When set to a negative number, any password will be required to
contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each lowercase character. Modify the lcredit setting in
/etc/security/pwquality.conf to require the use of a lowercase character in passwords. |
| Rationale | Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes
to crack a password. The more complex the password, the greater the number of
possble combinations that need to be tested before the password is compromised.
Requiring a minimum number of lowercase characters makes password guessing attacks
more difficult by ensuring a larger search space. |
|
|
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/pam.d/system-auth |
password requisite pam_pwquality.so local_users_only |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_lcredit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_lcredit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/security/pwquality\.conf(\.d/[^/]+\.conf)?$ | ^\s*lcredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) | 1 |
Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Classxccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat mediumCCE-83575-1
Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_maxclassrepeat:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-83575-1 |
| References: | | cis-csc | 1, 12, 15, 16, 5 | | cobit5 | DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1 | | iso27001-2013 | A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4) | | nist-csf | PR.AC-1, PR.AC-6, PR.AC-7 | | os-srg | SRG-OS-000072-GPOS-00040, SRG-OS-000730-GPOS-00190 | | stigid | RHEL-09-611120 | | stigref | SV-258113r1045232_rule |
|
| Description | The pam_pwquality module's maxclassrepeat parameter controls requirements for
consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords
which contain more than that number of consecutive characters from the same character class. Modify the
maxclassrepeat setting in /etc/security/pwquality.conf to equal 4
to prevent a run of ( 4 + 1) or more identical characters. |
| Rationale | Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting
attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The
more complex a password, the greater the number of possible combinations that need to be tested before the
password is compromised. |
|
|
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/pam.d/system-auth |
password requisite pam_pwquality.so local_users_only |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_maxclassrepeat:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_maxclassrepeat:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/security/pwquality\.conf(\.d/[^/]+\.conf)?$ | ^\s*maxclassrepeat[\s]*=[\s]*(-?\d+)(?:[\s]|$) | 1 |
Set Password Maximum Consecutive Repeating Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat mediumCCE-83567-8
Set Password Maximum Consecutive Repeating Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_maxrepeat:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-83567-8 |
| References: | | cis-csc | 1, 12, 15, 16, 5 | | cobit5 | DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1 | | iso27001-2013 | A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | IA-5(c), CM-6(a), IA-5(4) | | nist-csf | PR.AC-1, PR.AC-6, PR.AC-7 | | os-srg | SRG-OS-000072-GPOS-00040 | | cis | 5.3.3.2.4 | | stigid | RHEL-09-611125 | | stigref | SV-258114r1045235_rule |
|
| Description | The pam_pwquality module's maxrepeat parameter controls requirements for
consecutive repeating characters. When set to a positive number, it will reject passwords
which contain more than that number of consecutive characters. Modify the maxrepeat setting
in /etc/security/pwquality.conf to equal 3 to prevent a
run of ( 3 + 1) or more identical characters. |
| Rationale | Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at
guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more
complex the password, the greater the number of possible combinations that need to be tested before the
password is compromised.
Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks. |
|
|
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/pam.d/system-auth |
password requisite pam_pwquality.so local_users_only |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_maxrepeat:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_maxrepeat:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/security/pwquality\.conf(\.d/[^/]+\.conf)?$ | ^\s*maxrepeat[\s]*=[\s]*(-?\d+)(?:[\s]|$) | 1 |
Ensure PAM Enforces Password Requirements - Minimum Different Categoriesxccdf_org.ssgproject.content_rule_accounts_password_pam_minclass mediumCCE-83563-7
Ensure PAM Enforces Password Requirements - Minimum Different Categories
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_minclass:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-83563-7 |
| References: | | cis-csc | 1, 12, 15, 16, 5 | | cobit5 | DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1 | | ism | 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 | | iso27001-2013 | A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4) | | nist-csf | PR.AC-1, PR.AC-6, PR.AC-7 | | os-srg | SRG-OS-000072-GPOS-00040 | | anssi | R68 | | ccn | A.11.SEC-RHEL3 | | cis | 5.3.3.2.3 | | stigid | RHEL-09-611130 | | stigref | SV-258115r1045238_rule |
|
| Description | The pam_pwquality module's minclass parameter controls
requirements for usage of different character classes, or types, of character
that must exist in a password before it is considered valid. For example,
setting this value to three (3) requires that any password must have characters
from at least three different categories in order to be approved. The default
value is zero (0), meaning there are no required classes. There are four
categories available:
* Upper-case characters
* Lower-case characters
* Digits
* Special characters (for example, punctuation)
Modify the minclass setting in /etc/security/pwquality.conf entry
to require 4
differing categories of characters when changing passwords. |
| Rationale | Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The
more complex the password, the greater the number of possible combinations that need to be tested before
the password is compromised.
Requiring a minimum number of character categories makes password guessing attacks more difficult
by ensuring a larger search space. |
|
|
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/pam.d/system-auth |
password requisite pam_pwquality.so local_users_only |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_minclass:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_minclass:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/security/pwquality\.conf(\.d/[^/]+\.conf)?$ | ^\s*minclass[\s]*=[\s]*(-?\d+)(?:[\s]|$) | 1 |
Ensure PAM Enforces Password Requirements - Minimum Lengthxccdf_org.ssgproject.content_rule_accounts_password_pam_minlen mediumCCE-83579-3
Ensure PAM Enforces Password Requirements - Minimum Length
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_minlen:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-83579-3 |
| References: | | cis-csc | 1, 12, 15, 16, 5 | | cjis | 5.6.2.1.1 | | cobit5 | DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1 | | ism | 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 | | iso27001-2013 | A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4) | | nist-csf | PR.AC-1, PR.AC-6, PR.AC-7 | | ospp | FMT_SMF_EXT.1 | | pcidss | Req-8.2.3 | | os-srg | SRG-OS-000078-GPOS-00046 | | anssi | R31, R68 | | ccn | A.11.SEC-RHEL3 | | cis | 5.3.3.2.2 | | pcidss4 | 8.3.6, 8.3 | | stigid | RHEL-09-611090 | | stigref | SV-258107r1045218_rule |
|
| Description | The pam_pwquality module's minlen parameter controls requirements for
minimum characters required in a password. Add minlen=15
after pam_pwquality to set minimum password length requirements. |
| Rationale | The shorter the password, the lower the number of possible combinations
that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a
password in resisting attempts at guessing and brute-force attacks.
Password length is one factor of several that helps to determine strength
and how long it takes to crack a password. Use of more characters in a password
helps to exponentially increase the time and/or resources required to
compromise the password. |
|
|
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/pam.d/system-auth |
password requisite pam_pwquality.so local_users_only |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_minlen:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_minlen:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/security/pwquality\.conf(\.d/[^/]+\.conf)?$ | ^\s*minlen[\s]*=[\s]*(-?\d+)(?:[\s]|$) | 1 |
Ensure PAM Enforces Password Requirements - Minimum Special Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit mediumCCE-83565-2
Ensure PAM Enforces Password Requirements - Minimum Special Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_ocredit:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-83565-2 |
| References: | | cis-csc | 1, 12, 15, 16, 5 | | cobit5 | DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1 | | ism | 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 | | iso27001-2013 | A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4) | | nist-csf | PR.AC-1, PR.AC-6, PR.AC-7 | | ospp | FMT_SMF_EXT.1 | | os-srg | SRG-OS-000266-GPOS-00101 | | anssi | R31 | | stigid | RHEL-09-611100 | | stigref | SV-258109r1045220_rule |
|
| Description | The pam_pwquality module's ocredit= parameter controls requirements for
usage of special (or "other") characters in a password. When set to a negative number,
any password will be required to contain that many special characters.
When set to a positive number, pam_pwquality will grant +1
additional length credit for each special character. Modify the ocredit setting
in /etc/security/pwquality.conf to equal -1
to require use of a special character in passwords. |
| Rationale | Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes
to crack a password. The more complex the password, the greater the number of
possible combinations that need to be tested before the password is compromised.
Requiring a minimum number of special characters makes password guessing attacks
more difficult by ensuring a larger search space. |
|
|
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/pam.d/system-auth |
password requisite pam_pwquality.so local_users_only |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_ocredit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_ocredit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/security/pwquality\.conf(\.d/[^/]+\.conf)?$ | ^\s*ocredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) | 1 |
Ensure PAM password complexity module is enabled in password-authxccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth mediumCCE-85878-7
Ensure PAM password complexity module is enabled in password-auth
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_pwquality_password_auth:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-85878-7 |
| References: | | os-srg | SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038, SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-611040 | | stigref | SV-258097r1045193_rule |
|
| Description | To enable PAM password complexity in password-auth file:
Edit the password section in
/etc/pam.d/password-auth to show
password requisite pam_pwquality.so. |
| Rationale | Enabling PAM password complexity permits to enforce strong passwords and consequently
makes the system less prone to dictionary attacks. |
OVAL test results detailscheck the configuration of /etc/pam.d/password-auth
oval:ssg-test_accounts_password_pam_pwquality_password_auth:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/pam.d/password-auth | password requisite pam_pwquality.so |
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session in /etc/security/pwquality.confxccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_retry mediumCCE-86502-2
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session in /etc/security/pwquality.conf
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_retry |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_pwquality_retry:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-86502-2 |
| References: | |
| Description | To configure the number of retry prompts that are permitted per-session:
Edit the /etc/security/pwquality.conf to include
retry=3
, or a lower value if site
policy is more restrictive. The DoD requirement is a maximum of 3 prompts
per session. |
| Rationale | Setting the password retry prompts that are permitted on a per-session basis to a low value
requires some software, such as SSH, to re-connect. This can slow down and
draw additional attention to some types of password-guessing attacks. Note that this
is different from account lockout, which is provided by the pam_faillock module. |
|
|
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/pam.d/system-auth |
password requisite pam_pwquality.so local_users_only |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_retry:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_retry:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/security/pwquality\.conf(\.d/[^/]+\.conf)?$ | ^\s*retry[\s]*=[\s]*(-?\d+)(?:[\s]|$) | 1 |
Ensure PAM password complexity module is enabled in system-authxccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_system_auth mediumCCE-85873-8
Ensure PAM password complexity module is enabled in system-auth
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_system_auth |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_pwquality_system_auth:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-85873-8 |
| References: | |
| Description | To enable PAM password complexity in system-auth file:
Edit the password section in
/etc/pam.d/system-auth to show
password requisite pam_pwquality.so. |
| Rationale | Enabling PAM password complexity permits to enforce strong passwords and consequently
makes the system less prone to dictionary attacks. |
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_accounts_password_pam_pwquality_system_auth:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/pam.d/system-auth | password requisite pam_pwquality.so |
Ensure PAM Enforces Password Requirements - Minimum Uppercase Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit mediumCCE-83568-6
Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_ucredit:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-83568-6 |
| References: | | cis-csc | 1, 12, 15, 16, 5 | | cobit5 | DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1 | | ism | 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 | | iso27001-2013 | A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4) | | nist-csf | PR.AC-1, PR.AC-6, PR.AC-7 | | ospp | FMT_SMF_EXT.1 | | pcidss | Req-8.2.3 | | os-srg | SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038 | | anssi | R31 | | stigid | RHEL-09-611110 | | stigref | SV-258111r1045226_rule |
|
| Description | The pam_pwquality module's ucredit= parameter controls requirements for
usage of uppercase letters in a password. When set to a negative number, any password will be required to
contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each uppercase character. Modify the ucredit setting in
/etc/security/pwquality.conf to require the use of an uppercase character in passwords. |
| Rationale | Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more
complex the password, the greater the number of possible combinations that need to be tested before
the password is compromised. |
|
|
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/pam.d/system-auth |
password requisite pam_pwquality.so local_users_only |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_ucredit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_ucredit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/security/pwquality\.conf(\.d/[^/]+\.conf)?$ | ^\s*ucredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) | 1 |
Set Password Hashing Algorithm in /etc/libuser.confxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf mediumCCE-88865-1
Set Password Hashing Algorithm in /etc/libuser.conf
| Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-set_password_hashing_algorithm_libuserconf:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-88865-1 |
| References: | | cis-csc | 1, 12, 15, 16, 5 | | cjis | 5.6.2.2 | | cobit5 | DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10 | | cui | 3.13.11 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1 | | ism | 0418, 1055, 1402 | | iso27001-2013 | A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | IA-5(c), IA-5(1)(c), CM-6(a) | | nist-csf | PR.AC-1, PR.AC-6, PR.AC-7 | | pcidss | Req-8.2.1 | | os-srg | SRG-OS-000073-GPOS-00041 | | cis | 5.4.1.4 | | pcidss4 | 8.3.2, 8.3 | | stigid | RHEL-09-611135 | | stigref | SV-258116r1045240_rule |
|
| Description | In /etc/libuser.conf, add or correct the following line in its [defaults]
section to ensure the system will use the sha512
algorithm for password hashing:
crypt_style = sha512
|
| Rationale | Passwords need to be protected at all times, and encryption is the standard method for
protecting passwords. If passwords are not encrypted, they can be plainly read
(i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm
are no more protected than if they are kept in plain text.
This setting ensures user and group account administration utilities are configured to store
only encrypted representations of passwords. Additionally, the crypt_style
configuration option in /etc/libuser.conf ensures the use of a strong hashing
algorithm that makes password cracking attacks more difficult. |
OVAL test results detailscheck if /etc/libuser.conf hashing algorithm option is correct
oval:ssg-test_set_password_hashing_algorithm_libuserconf:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/libuser.conf |
crypt_style = sha512 |
Set Password Hashing Algorithm in /etc/login.defsxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs mediumCCE-90590-1
Set Password Hashing Algorithm in /etc/login.defs
| Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-set_password_hashing_algorithm_logindefs:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-90590-1 |
| References: | | cis-csc | 1, 12, 15, 16, 5 | | cjis | 5.6.2.2 | | cobit5 | DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10 | | cui | 3.13.11 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1 | | ism | 0418, 1055, 1402 | | iso27001-2013 | A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | IA-5(c), IA-5(1)(c), CM-6(a) | | nist-csf | PR.AC-1, PR.AC-6, PR.AC-7 | | pcidss | Req-8.2.1 | | os-srg | SRG-OS-000073-GPOS-00041 | | ccn | A.19.SEC-RHEL3 | | cis | 5.4.1.4 | | pcidss4 | 8.3.2, 8.3 | | stigid | RHEL-09-611140 | | stigref | SV-258117r1015116_rule |
|
| Description | In /etc/login.defs, add or update the following line to ensure the system will use
SHA512 as the hashing algorithm:
ENCRYPT_METHOD SHA512
|
| Rationale | Passwords need to be protected at all times, and encryption is the standard method for
protecting passwords. If passwords are not encrypted, they can be plainly read
(i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm
are no more protected than if they are kept in plain text.
Using a stronger hashing algorithm makes password cracking attacks more difficult. |
OVAL test results detailsThe value of ENCRYPT_METHOD should be set appropriately in /etc/login.defs
oval:ssg-test_set_password_hashing_algorithm_logindefs:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-variable_last_encrypt_method_instance_value:var:1 | SHA512 |
Set PAM''s Password Hashing Algorithm - password-authxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth mediumCCE-85946-2
Set PAM''s Password Hashing Algorithm - password-auth
| Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-set_password_hashing_algorithm_passwordauth:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-85946-2 |
| References: | | cis-csc | 1, 12, 15, 16, 5 | | cjis | 5.6.2.2 | | cobit5 | DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10 | | cui | 3.13.11 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1 | | ism | 0418, 1055, 1402 | | iso27001-2013 | A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | IA-5(c), IA-5(1)(c), CM-6(a) | | nist-csf | PR.AC-1, PR.AC-6, PR.AC-7 | | pcidss | Req-8.2.1 | | os-srg | SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061 | | ccn | A.19.SEC-RHEL3 | | cis | 5.3.3.4.3 | | stigid | RHEL-09-671025 | | stigref | SV-258233r1015136_rule |
|
| Description | The PAM system service can be configured to only store encrypted representations of passwords.
In /etc/pam.d/password-auth, the password section of the file controls which
PAM modules to execute during a password change.
Set the pam_unix.so module in the password section to include the option
sha512 and no other hashing
algorithms as shown below:
password sufficient pam_unix.so sha512
other arguments...
This will help ensure that new passwords for local users will be stored using the
sha512 algorithm. |
| Rationale | Passwords need to be protected at all times, and encryption is the standard method for
protecting passwords. If passwords are not encrypted, they can be plainly read
(i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm
are no more protected than if they are kept in plain text.
This setting ensures user and group account administration utilities are configured to store
only encrypted representations of passwords. Additionally, the crypt_style
configuration option in /etc/libuser.conf ensures the use of a strong hashing
algorithm that makes password cracking attacks more difficult. |
| Warnings | warning
The hashing algorithms to be used with pam_unix.so are defined with independent module
options. There are at least 7 possible algorithms and likely more algorithms will be
introduced along the time. Due the the number of options and its possible combinations,
the use of multiple hashing algorithm options may bring unexpected behaviors to the
system. For this reason the check will pass only when one hashing algorithm option is
defined and is aligned to the "var_password_hashing_algorithm_pam" variable. The
remediation will ensure the correct option and remove any other extra hashing algorithm
option. |
OVAL test results detailscheck if pam_unix.so hashing algorithm option is correct and specified only once in /etc/pam.d/password-auth
oval:ssg-test_set_password_hashing_algorithm_passwordauth:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/pam.d/password-auth | password sufficient pam_unix.so sha512 shadow nullok use_authtok |
Disallow Configuration to Bypass Password Requirements for Privilege Escalationxccdf_org.ssgproject.content_rule_disallow_bypass_password_sudo mediumCCE-85967-8
Disallow Configuration to Bypass Password Requirements for Privilege Escalation
| Rule ID | xccdf_org.ssgproject.content_rule_disallow_bypass_password_sudo |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-disallow_bypass_password_sudo:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-85967-8 |
| References: | | nist | IA-11 | | os-srg | SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158 | | stigid | RHEL-09-611145 | | stigref | SV-258118r1050789_rule |
|
| Description | Verify the operating system is not configured to bypass password requirements for privilege
escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command:
$ sudo grep pam_succeed_if /etc/pam.d/sudo
If any occurrences of "pam_succeed_if" is returned from the command, this is a finding. |
| Rationale | Without re-authentication, users may access resources or perform tasks for which they do not
have authorization. When operating systems provide the capability to escalate a functional
capability, it is critical the user re-authenticate. |
OVAL test results detailsCheck absence of conf pam_succeed_if in /etc/pam.d/sudo
oval:ssg-test_disallow_bypass_password_sudo:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_disallow_bypass_password_sudo:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/pam.d/sudo | ^.*pam_succeed_if.*$ | 1 |
Ensure PAM Displays Last Logon/Access Notificationxccdf_org.ssgproject.content_rule_display_login_attempts lowCCE-83560-3
Ensure PAM Displays Last Logon/Access Notification
| Rule ID | xccdf_org.ssgproject.content_rule_display_login_attempts |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-display_login_attempts:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | low |
| Identifiers: | CCE-83560-3 |
| References: | | cis-csc | 1, 12, 15, 16 | | cjis | 5.5.2 | | cobit5 | DSS05.04, DSS05.10, DSS06.10 | | isa-62443-2009 | 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9 | | ism | 0582, 0584, 05885, 0586, 0846, 0957 | | iso27001-2013 | A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | AC-9, AC-9(1) | | nist-csf | PR.AC-7 | | pcidss | Req-10.2.4 | | os-srg | SRG-OS-000480-GPOS-00227 | | pcidss4 | 10.2.1.4, 10.2.1, 10.2 | | stigid | RHEL-09-412075 | | stigref | SV-258076r991589_rule |
|
| Description | To configure the system to notify users of last logon/access using pam_lastlog,
add or correct the pam_lastlog settings in /etc/pam.d/postlogin
to include showfailed option, such as:
session [default=1] pam_lastlog.so showfailed
And make sure that the silent option is not set for this specific line. |
| Rationale | Users need to be aware of activity that occurs regarding their account. Providing users with
information regarding the number of unsuccessful attempts that were made to login to their
account allows the user to determine if any unauthorized activity has occurred and gives them
an opportunity to notify administrators. |
| Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report. warning
authselect contains an authselect feature to easily and properly enable Last Logon
notifications with pam_lastlog.so module. If a custom profile was created and used
in the system before this authselect feature was available, the new feature can't be used
with this custom profile and the remediation will fail. In this case, the custom profile
should be recreated or manually updated. |
|
|
OVAL test results detailsCheck the pam_lastlog is configured to show last login information
oval:ssg-test_display_login_attempts:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_display_login_attempts:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/pam.d/postlogin | ^\s*session\s+.*\s+pam_lastlog\.so\b(?!.*\ssilent\s).*\sshowfailed\s.*$ | 1 |
Install the opensc Package For Multifactor Authenticationxccdf_org.ssgproject.content_rule_package_opensc_installed mediumCCE-83595-9
Install the opensc Package For Multifactor Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_package_opensc_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_opensc_installed:def:1 |
| Time | 2025-09-21T20:22:56-05:00 |
| Severity | medium |
| Identifiers: | CCE-83595-9 |
| References: | | ism | 1382, 1384, 1386 | | nist | CM-6(a) | | os-srg | SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161 | | stigid | RHEL-09-611185 | | stigref | SV-258126r1045255_rule |
|
| Description |
The opensc package can be installed with the following command:
$ sudo dnf install opensc
|
| Rationale | Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
Multifactor solutions that require devices separate from
information systems gaining access include, for example, hardware tokens
providing time-based or challenge-response authenticators and smart cards such
as the U.S. Government Personal Identity Verification card and the DoD Common
Access Card. |
|
|
|
|
|
|
|
OVAL test results detailspackage opensc is installed
oval:ssg-test_package_opensc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_opensc_installed:obj:1 of type
rpminfo_object
Install the pcsc-lite packagexccdf_org.ssgproject.content_rule_package_pcsc-lite_installed mediumCCE-86280-5
Install the pcsc-lite package
| Rule ID | xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_pcsc-lite_installed:def:1 |
| Time | 2025-09-21T20:22:56-05:00 |
| Severity | medium |
| Identifiers: | CCE-86280-5 |
| References: | |
| Description | The pcsc-lite package can be installed with the following command:
$ sudo dnf install pcsc-lite
|
| Rationale | The pcsc-lite package must be installed if it is to be available for
multifactor authentication using smartcards. |
|
|
|
|
|
|
|
OVAL test results detailspackage pcsc-lite is installed
oval:ssg-test_package_pcsc-lite_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_pcsc-lite_installed:obj:1 of type
rpminfo_object
Install Smart Card Packages For Multifactor Authenticationxccdf_org.ssgproject.content_rule_install_smartcard_packages mediumCCE-83596-7
Install Smart Card Packages For Multifactor Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_install_smartcard_packages |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-install_smartcard_packages:def:1 |
| Time | 2025-09-21T20:22:56-05:00 |
| Severity | medium |
| Identifiers: | CCE-83596-7 |
| References: | | nist | CM-6(a) | | pcidss | Req-8.3 | | os-srg | SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000377-GPOS-00162 | | stigid | RHEL-09-215075 | | stigref | SV-257838r1044912_rule |
|
| Description | Configure the operating system to implement multifactor authentication by
installing the required package with the following command:
The openssl-pkcs11 package can be installed with the following command:
$ sudo dnf install openssl-pkcs11
|
| Rationale | Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
Multifactor solutions that require devices separate from
information systems gaining access include, for example, hardware tokens
providing time-based or challenge-response authenticators and smart cards such
as the U.S. Government Personal Identity Verification card and the DoD Common
Access Card. |
|
|
|
|
|
|
|
OVAL test results detailspackage openssl-pkcs11 is installed
oval:ssg-test_package_openssl-pkcs11_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_openssl-pkcs11_installed:obj:1 of type
rpminfo_object
Enable the pcscd Servicexccdf_org.ssgproject.content_rule_service_pcscd_enabled mediumCCE-87907-2
Enable the pcscd Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_pcscd_enabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_pcscd_enabled:def:1 |
| Time | 2025-09-21T20:22:58-05:00 |
| Severity | medium |
| Identifiers: | CCE-87907-2 |
| References: | | ism | 1382, 1384, 1386 | | nist | IA-2(1), IA-2(2), IA-2(3), IA-2(4), IA-2(6), IA-2(7), IA-2(11), CM-6(a) | | pcidss | Req-8.3 | | os-srg | SRG-OS-000375-GPOS-00160 | | stigid | RHEL-09-611180 | | stigref | SV-258125r1045253_rule |
|
| Description |
The pcscd service can be enabled with the following command:
$ sudo systemctl enable pcscd.service
|
| Rationale | Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
Multifactor solutions that require devices separate from
information systems gaining access include, for example, hardware tokens
providing time-based or challenge-response authenticators and smart cards such
as the U.S. Government Personal Identity Verification card and the DoD Common
Access Card. |
|
|
|
|
|
OVAL test results detailspackage pcsc-lite is installed
oval:ssg-test_service_pcscd_package_pcsc-lite_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_service_pcscd_package_pcsc-lite_installed:obj:1 of type
rpminfo_object
Test that the pcscd service is running
oval:ssg-test_service_running_pcscd:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_running_pcscd:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^pcscd\.(socket|service)$ | ActiveState |
systemd test
oval:ssg-test_multi_user_wants_pcscd:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| false | multi-user.target | basic.target | -.mount | sysinit.target | iscsi-starter.service | systemd-network-generator.service | ldconfig.service | proc-sys-fs-binfmt_misc.automount | dracut-shutdown.service | sys-kernel-tracing.mount | sys-kernel-debug.mount | veritysetup.target | dev-hugepages.mount | systemd-pcrphase-sysinit.service | systemd-boot-update.service | lvm2-monitor.service | integritysetup.target | plymouth-read-write.service | systemd-firstboot.service | multipathd.service | systemd-pcrphase.service | sys-fs-fuse-connections.mount | systemd-journal-catalog-update.service | systemd-binfmt.service | systemd-pstore.service | sys-kernel-config.mount | systemd-machine-id-commit.service | local-fs.target | boot-efi.mount | boot.mount | opt-share.mount | ostree-remount.service | systemd-remount-fs.service | systemd-hwdb-update.service | systemd-update-utmp.service | kmod-static-nodes.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | plymouth-start.service | systemd-journald.service | systemd-random-seed.service | swap.target | dev-mapper-rhel_desktop\x2d\x2drncu7uo\x2dswap.swap | selinux-autorelabel-mark.service | systemd-udevd.service | iscsi-onboot.service | systemd-pcrmachine.service | nis-domainname.service | systemd-sysctl.service | lvm2-lvmpolld.socket | systemd-ask-password-console.path | systemd-sysusers.service | systemd-modules-load.service | systemd-update-done.service | systemd-repart.service | systemd-udev-trigger.service | dev-mqueue.mount | cryptsetup.target | systemd-journal-flush.service | systemd-boot-random-seed.service | slices.target | -.slice | system.slice | low-memory-monitor.service | timers.target | logrotate.timer | systemd-tmpfiles-clean.timer | unbound-anchor.timer | mlocate-updatedb.timer | dnf-makecache.timer | paths.target | microcode.service | sockets.target | dm-event.socket | iscsid.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | systemd-udevd-kernel.socket | systemd-coredump.socket | systemd-journald.socket | systemd-initctl.socket | multipathd.socket | iscsiuio.socket | cups.socket | systemd-journald-dev-log.socket | avahi-daemon.socket | NetworkManager.service | insights-client-boot.service | tuned.service | mcelog.service | systemd-ask-password-wall.path | ModemManager.service | rsyslog.service | ostree-readonly-sysroot-migration.service | firewalld.service | systemd-user-sessions.service | sshd.service | vmtoolsd.service | systemd-logind.service | run-vmblock\x2dfuse.mount | sssd.service | atd.service | nessusd.service | libstoragemgmt.service | irqbalance.service | getty.target | getty@tty1.service | plymouth-quit.service | cups.path | kdump.service | rhsmcertd.service | crond.service | chronyd.service | mdmonitor.service | auditd.service | smartd.service | cups.service | avahi-daemon.service | remote-fs.target | systemd-update-utmp-runlevel.service | plymouth-quit-wait.service |
systemd test
oval:ssg-test_multi_user_wants_pcscd_socket:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| false | multi-user.target | basic.target | -.mount | sysinit.target | iscsi-starter.service | systemd-network-generator.service | ldconfig.service | proc-sys-fs-binfmt_misc.automount | dracut-shutdown.service | sys-kernel-tracing.mount | sys-kernel-debug.mount | veritysetup.target | dev-hugepages.mount | systemd-pcrphase-sysinit.service | systemd-boot-update.service | lvm2-monitor.service | integritysetup.target | plymouth-read-write.service | systemd-firstboot.service | multipathd.service | systemd-pcrphase.service | sys-fs-fuse-connections.mount | systemd-journal-catalog-update.service | systemd-binfmt.service | systemd-pstore.service | sys-kernel-config.mount | systemd-machine-id-commit.service | local-fs.target | boot-efi.mount | boot.mount | opt-share.mount | ostree-remount.service | systemd-remount-fs.service | systemd-hwdb-update.service | systemd-update-utmp.service | kmod-static-nodes.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | plymouth-start.service | systemd-journald.service | systemd-random-seed.service | swap.target | dev-mapper-rhel_desktop\x2d\x2drncu7uo\x2dswap.swap | selinux-autorelabel-mark.service | systemd-udevd.service | iscsi-onboot.service | systemd-pcrmachine.service | nis-domainname.service | systemd-sysctl.service | lvm2-lvmpolld.socket | systemd-ask-password-console.path | systemd-sysusers.service | systemd-modules-load.service | systemd-update-done.service | systemd-repart.service | systemd-udev-trigger.service | dev-mqueue.mount | cryptsetup.target | systemd-journal-flush.service | systemd-boot-random-seed.service | slices.target | -.slice | system.slice | low-memory-monitor.service | timers.target | logrotate.timer | systemd-tmpfiles-clean.timer | unbound-anchor.timer | mlocate-updatedb.timer | dnf-makecache.timer | paths.target | microcode.service | sockets.target | dm-event.socket | iscsid.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | systemd-udevd-kernel.socket | systemd-coredump.socket | systemd-journald.socket | systemd-initctl.socket | multipathd.socket | iscsiuio.socket | cups.socket | systemd-journald-dev-log.socket | avahi-daemon.socket | NetworkManager.service | insights-client-boot.service | tuned.service | mcelog.service | systemd-ask-password-wall.path | ModemManager.service | rsyslog.service | ostree-readonly-sysroot-migration.service | firewalld.service | systemd-user-sessions.service | sshd.service | vmtoolsd.service | systemd-logind.service | run-vmblock\x2dfuse.mount | sssd.service | atd.service | nessusd.service | libstoragemgmt.service | irqbalance.service | getty.target | getty@tty1.service | plymouth-quit.service | cups.path | kdump.service | rhsmcertd.service | crond.service | chronyd.service | mdmonitor.service | auditd.service | smartd.service | cups.service | avahi-daemon.service | remote-fs.target | systemd-update-utmp-runlevel.service | plymouth-quit-wait.service |
Configure opensc Smart Card Driversxccdf_org.ssgproject.content_rule_configure_opensc_card_drivers mediumCCE-89122-6
Configure opensc Smart Card Drivers
| Rule ID | xccdf_org.ssgproject.content_rule_configure_opensc_card_drivers |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_opensc_card_drivers:def:1 |
| Time | 2025-09-21T20:22:58-05:00 |
| Severity | medium |
| Identifiers: | CCE-89122-6 |
| References: | | cis-csc | 1, 12, 15, 16, 5 | | cobit5 | DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1 | | ism | 1382, 1384, 1386 | | iso27001-2013 | A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | IA-2(1), IA-2(2), IA-2(3), IA-2(4), IA-2(6), IA-2(7), IA-2(11), CM-6(a) | | nist-csf | PR.AC-1, PR.AC-6, PR.AC-7 | | pcidss | Req-8.3 | | os-srg | SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000109-GPOS-00056, SRG-OS-000108-GPOS-00055, SRG-OS-000108-GPOS-00057, SRG-OS-000108-GPOS-00058 | | stigid | RHEL-09-611160 | | stigref | SV-258121r1045243_rule |
|
| Description | The OpenSC smart card tool can auto-detect smart card drivers; however,
setting the smart card drivers in use by your organization helps to prevent
users from using unauthorized smart cards. The default smart card driver for this
profile is cac.
To configure the OpenSC driver, edit the /etc/opensc.conf
and add the following line into the file in the app default block,
so it will look like:
app default {
...
card_drivers = cac;
}
|
| Rationale | Smart card login provides two-factor authentication stronger than
that provided by a username and password combination. Smart cards leverage PKI
(public key infrastructure) in order to provide and verify credentials.
Configuring the smart card driver in use by your organization helps to prevent
users from using unauthorized smart cards. |
|
|
OVAL test results detailsCheck that card_drivers is configured for opensc
oval:ssg-test_configure_opensc_card_drivers:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_configure_opensc_card_drivers:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/opensc.*\.conf$ | ^[\s]+card_drivers[\s]+=[\s]+(\S+);$ | 1 |
Disable debug-shell SystemD Servicexccdf_org.ssgproject.content_rule_service_debug-shell_disabled mediumCCE-90724-6
Disable debug-shell SystemD Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_debug-shell_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_debug-shell_disabled:def:1 |
| Time | 2025-09-21T20:22:56-05:00 |
| Severity | medium |
| Identifiers: | CCE-90724-6 |
| References: | | cui | 3.4.5 | | hipaa | 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii) | | nist | CM-6 | | ospp | FIA_UAU.1 | | os-srg | SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-211055 | | stigref | SV-257786r1044834_rule |
|
| Description | SystemD's debug-shell service is intended to
diagnose SystemD related boot issues with various systemctl
commands. Once enabled and following a system reboot, the root shell
will be available on tty9 which is access by pressing
CTRL-ALT-F9. The debug-shell service should only be used
for SystemD related issues and should otherwise be disabled.
By default, the debug-shell SystemD service is already disabled.
The debug-shell service can be disabled with the following command:
$ sudo systemctl mask --now debug-shell.service
|
| Rationale | This prevents attackers with physical access from trivially bypassing security
on the machine through valid troubleshooting configurations and gaining root
access when the system is rebooted. |
|
|
|
|
|
|
OVAL test results detailspackage systemd is removed
oval:ssg-service_debug-shell_disabled_test_service_debug-shell_package_systemd_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | systemd | x86_64 | (none) | 51.el9_6.2 | 252 | 0:252-51.el9_6.2 | 199e2f91fd431d51 | systemd-0:252-51.el9_6.2.x86_64 |
Test that the debug-shell service is not running
oval:ssg-test_service_not_running_service_debug-shell_disabled_debug-shell:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Unit | Property | Value |
|---|
| true | debug-shell.service | ActiveState | inactive |
Test that the property LoadState from the service debug-shell is masked
oval:ssg-test_service_loadstate_is_masked_service_debug-shell_disabled_debug-shell:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Unit | Property | Value |
|---|
| false | debug-shell.service | LoadState | loaded |
Disable Ctrl-Alt-Del Burst Actionxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction highCCE-90308-8
Disable Ctrl-Alt-Del Burst Action
| Rule ID | xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-disable_ctrlaltdel_burstaction:def:1 |
| Time | 2025-09-21T20:22:56-05:00 |
| Severity | high |
| Identifiers: | CCE-90308-8 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | cui | 3.4.5 | | hipaa | 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii) | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-6(a), AC-6(1), CM-6(a) | | nist-csf | PR.AC-4, PR.DS-5 | | ospp | FAU_GEN.1.2 | | os-srg | SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-211045 | | stigref | SV-257784r1044832_rule |
|
| Description | By default, SystemD will reboot the system if the Ctrl-Alt-Del
key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds.
To configure the system to ignore the CtrlAltDelBurstAction
setting, add or modify the following to /etc/systemd/system.conf:
CtrlAltDelBurstAction=none
|
| Rationale | A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot. |
| Warnings | warning
Disabling the Ctrl-Alt-Del key sequence
in /etc/init/control-alt-delete.conf DOES NOT disable the Ctrl-Alt-Del
key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The
Ctrl-Alt-Del key sequence will only be disabled if running in
the non-graphical runlevel 3. |
|
|
|
OVAL test results detailscheck if CtrlAltDelBurstAction is set to none
oval:ssg-test_disable_ctrlaltdel_burstaction:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_disable_ctrlaltdel_burstaction:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/systemd/system.conf(\.d/.*\.conf)?$ | ^[\s]*CtrlAltDelBurstAction[\s]*=[\s]*none$ | 1 |
Disable Ctrl-Alt-Del Reboot Activationxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot highCCE-86667-3
Disable Ctrl-Alt-Del Reboot Activation
| Rule ID | xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-disable_ctrlaltdel_reboot:def:1 |
| Time | 2025-09-21T20:22:56-05:00 |
| Severity | high |
| Identifiers: | CCE-86667-3 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | cui | 3.4.5 | | hipaa | 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii) | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | ospp | FAU_GEN.1.2 | | os-srg | SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-211050 | | stigref | SV-257785r1044833_rule |
|
| Description | By default, SystemD will reboot the system if the Ctrl-Alt-Del
key sequence is pressed.
To configure the system to ignore the Ctrl-Alt-Del key sequence from the
command line instead of rebooting the system, do either of the following:
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
or
systemctl mask ctrl-alt-del.target
Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file,
as this file may be restored during future system updates. |
| Rationale | A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot. |
|
|
|
OVAL test results detailsDisable Ctrl-Alt-Del key sequence override exists
oval:ssg-test_disable_ctrlaltdel_exists:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Filepath | Canonical path |
|---|
| false | /etc/systemd/system/ctrl-alt-del.target | /usr/lib/systemd/system/reboot.target |
Verify that Interactive Boot is Disabledxccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot mediumCCE-87114-5
Verify that Interactive Boot is Disabled
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_disable_interactive_boot:def:1 |
| Time | 2025-09-21T20:22:56-05:00 |
| Severity | medium |
| Identifiers: | CCE-87114-5 |
| References: | | cis-csc | 11, 12, 14, 15, 16, 18, 3, 5 | | cobit5 | DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06 | | cui | 3.1.2, 3.4.5 | | hipaa | 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii) | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7 | | iso27001-2013 | A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | SC-2(1), CM-6(a) | | nist-csf | PR.AC-4, PR.AC-6, PR.PT-3 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-212015 | | stigref | SV-257788r1044838_rule |
|
| Description | Red Hat Enterprise Linux 9 systems support an "interactive boot" option that can
be used to prevent services from being started. On a Red Hat Enterprise Linux 9
system, interactive boot can be enabled by providing a 1,
yes, true, or on value to the
systemd.confirm_spawn kernel argument in /etc/default/grub.
Remove any instance of systemd.confirm_spawn=(1|yes|true|on) from
the kernel arguments in that file to disable interactive boot.
Recovery booting must also be disabled. Confirm that
GRUB_DISABLE_RECOVERY=true is set in /etc/default/grub.
It is also required to change the runtime configuration, run:
/sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn"
grub2-mkconfig -o /boot/grub2/grub.cfg
|
| Rationale | Using interactive or recovery boot, the console user could disable auditing, firewalls,
or other services, weakening system security. |
OVAL test results detailsCheck systemd.confirm_spawn=(1|true|yes|on) not in GRUB_CMDLINE_LINUX
oval:ssg-test_grub2_disable_interactive_boot_grub_cmdline_linux:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_disable_interactive_boot_grub_cmdline_linux:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/default/grub | ^\s*GRUB_CMDLINE_LINUX="(?:.*\s)?systemd\.confirm_spawn(?:=(?:1|yes|true|on))?(?:\s.*)?"$ | 1 |
Check systemd.confirm_spawn=(1|true|yes|on) not in GRUB_CMDLINE_LINUX_DEFAULT
oval:ssg-test_grub2_disable_interactive_boot_grub_cmdline_linux_default:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_disable_interactive_boot_grub_cmdline_linux_default:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/default/grub | ^\s*GRUB_CMDLINE_LINUX_DEFAULT=".*systemd\.confirm_spawn=(?:1|yes|true|on).*$ | 1 |
Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub
oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/default/grub | GRUB_DISABLE_RECOVERY="true" |
Require Authentication for Emergency Systemd Targetxccdf_org.ssgproject.content_rule_require_emergency_target_auth mediumCCE-83592-6
Require Authentication for Emergency Systemd Target
| Rule ID | xccdf_org.ssgproject.content_rule_require_emergency_target_auth |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-require_emergency_target_auth:def:1 |
| Time | 2025-09-21T20:22:56-05:00 |
| Severity | medium |
| Identifiers: | CCE-83592-6 |
| References: | | cis-csc | 1, 11, 12, 14, 15, 16, 18, 3, 5 | | cobit5 | DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10 | | cui | 3.1.1, 3.4.5 | | hipaa | 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii) | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7 | | ism | 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 | | iso27001-2013 | A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nist | IA-2, AC-3, CM-6(a) | | nist-csf | PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3 | | os-srg | SRG-OS-000080-GPOS-00048 | | stigid | RHEL-09-611195 | | stigref | SV-258128r958472_rule |
|
| Description | Emergency mode is intended as a system recovery
method, providing a single user root access to the system
during a failed boot sequence.
By default, Emergency mode is protected by requiring a password and is set
in /usr/lib/systemd/system/emergency.service. |
| Rationale | This prevents attackers with physical access from trivially bypassing security
on the machine and gaining root access. Such accesses are further prevented
by configuring the bootloader password. |
OVAL test results detailsTests that /usr/lib/systemd/systemd-sulogin-shell was not removed from the default systemd emergency.service to ensure that a password must be entered to access single user mode
oval:ssg-test_require_emergency_service:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/emergency.service | ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency |
Tests that the systemd emergency.service is in the emergency.target
oval:ssg-test_require_emergency_service_emergency_target:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/emergency.target | Requires=emergency.service |
look for emergency.target in /etc/systemd/system
oval:ssg-test_no_custom_emergency_target:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_custom_emergency_target:obj:1 of type
file_object
| Behaviors | Path | Filename |
|---|
| no value | /etc/systemd/system | ^emergency.target$ |
look for emergency.service in /etc/systemd/system
oval:ssg-test_no_custom_emergency_service:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_custom_emergency_service:obj:1 of type
file_object
| Behaviors | Path | Filename |
|---|
| no value | /etc/systemd/system | ^emergency.service$ |
Look for drop in config files for emergency.service
oval:ssg-test_require_emergency_target_auth_drop_in_config_exist:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_require_emergency_target_auth_drop_in_config_exist:obj:1 of type
file_object
| Path | Filename |
|---|
| /etc/systemd/system/emergency.service.d | ^.*\.conf$ |
Tests that /usr/lib/systemd/systemd-sulogin-shell was not removed from the default systemd emergency.service to ensure that a password must be entered to access single user mode
oval:ssg-test_require_emergency_service_drop_in:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_require_emergency_service_drop_in:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/systemd/system/emergency.service.d | ^.*\.conf$ | ^ExecStart=\-/usr/lib/systemd/systemd-sulogin-shell[\s]+emergency | 1 |
Require Authentication for Single User Modexccdf_org.ssgproject.content_rule_require_singleuser_auth mediumCCE-83594-2
Require Authentication for Single User Mode
| Rule ID | xccdf_org.ssgproject.content_rule_require_singleuser_auth |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-require_singleuser_auth:def:1 |
| Time | 2025-09-21T20:22:56-05:00 |
| Severity | medium |
| Identifiers: | CCE-83594-2 |
| References: | | cis-csc | 1, 11, 12, 14, 15, 16, 18, 3, 5 | | cobit5 | DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10 | | cui | 3.1.1, 3.4.5 | | hipaa | 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii) | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7 | | ism | 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 | | iso27001-2013 | A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3 | | nist | IA-2, AC-3, CM-6(a) | | nist-csf | PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3 | | ospp | FIA_UAU.1 | | os-srg | SRG-OS-000080-GPOS-00048 | | stigid | RHEL-09-611200 | | stigref | SV-258129r958472_rule |
|
| Description | Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup.
By default, single-user mode is protected by requiring a password and is set
in /usr/lib/systemd/system/rescue.service. |
| Rationale | This prevents attackers with physical access from trivially bypassing security
on the machine and gaining root access. Such accesses are further prevented
by configuring the bootloader password. |
OVAL test results detailsTests that /usr/lib/systemd/systemd-sulogin-shell was not removed from the default systemd rescue.service to ensure that a password must be entered to access single user mode
oval:ssg-test_require_rescue_service_distro:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /usr/lib/systemd/system/rescue.service | ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue |
Check that there is no override file for rescue.service with Execstart - directive
oval:ssg-test_rescue_service_not_overridden:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_require_rescue_service_override:obj:1 of type
textfilecontent54_object
| Behaviors | Path | Filename | Pattern | Instance |
|---|
| no value | /etc/systemd/system/rescue.service.d | ^.*\.conf$ | ^.*ExecStart\s?=\s+.*ExecStart\s?=\s?\-?(.*)$ | 1 |
Tests that/usr/lib/systemd/systemd-sulogin-shell is defined in /etc/systemd/system/rescue.service.d/*.conf
oval:ssg-test_require_rescue_service_override:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_require_rescue_service_override:obj:1 of type
textfilecontent54_object
| Behaviors | Path | Filename | Pattern | Instance |
|---|
| no value | /etc/systemd/system/rescue.service.d | ^.*\.conf$ | ^.*ExecStart\s?=\s+.*ExecStart\s?=\s?\-?(.*)$ | 1 |
Set Account Expiration Following Inactivityxccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration mediumCCE-83627-0
Set Account Expiration Following Inactivity
| Rule ID | xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-account_disable_post_pw_expiration:def:1 |
| Time | 2025-09-21T20:22:58-05:00 |
| Severity | medium |
| Identifiers: | CCE-83627-0 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8 | | cjis | 5.6.2.1.1 | | cobit5 | DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10 | | cui | 3.5.6 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.3, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | IA-4(e), AC-2(3), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7 | | pcidss | Req-8.1.4 | | os-srg | SRG-OS-000118-GPOS-00060 | | cis | 5.4.1.5 | | pcidss4 | 8.2.6, 8.2 | | stigid | RHEL-09-411050 | | stigref | SV-258049r1015092_rule |
|
| Description | To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following line in /etc/default/useradd:
INACTIVE=35
If a password is currently on the verge of expiration, then
35
day(s) remain(s) until the account is automatically
disabled. However, if the password will not expire for another 60 days, then 60
days plus 35 day(s) could
elapse until the account would be automatically disabled. See the
useradd man page for more information. |
| Rationale | Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system.
Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.
Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. |
|
|
OVAL test results detailsthe value INACTIVE parameter should be set appropriately in /etc/default/useradd
oval:ssg-test_etc_default_useradd_inactive:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_default_useradd_inactive:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/default/useradd | ^\s*INACTIVE\s*=\s*(\d+)\s*$ | 1 |
Assign Expiration Date to Temporary Accountsxccdf_org.ssgproject.content_rule_account_temp_expire_date mediumCCE-90096-9
Assign Expiration Date to Temporary Accounts
| Rule ID | xccdf_org.ssgproject.content_rule_account_temp_expire_date |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:22:58-05:00 |
| Severity | medium |
| Identifiers: | CCE-90096-9 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8 | | cobit5 | DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS06.03 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.3, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nist | AC-2(2), AC-2(3), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6 | | os-srg | SRG-OS-000123-GPOS-00064, SRG-OS-000002-GPOS-00002 | | stigid | RHEL-09-411040 | | stigref | SV-258047r958508_rule |
|
| Description | Temporary accounts are established as part of normal account activation
procedures when there is a need for short-term accounts. In the event
temporary accounts are required, configure the system to
terminate them after a documented time period. For every temporary account, run the following command to set an expiration date on
it, substituting USER and YYYY-MM-DD
appropriately:
$ sudo chage -E YYYY-MM-DD USER
YYYY-MM-DD indicates the documented expiration date for the
account. For U.S. Government systems, the operating system must be
configured to automatically terminate these types of accounts after a
period of 72 hours. |
| Rationale | If temporary user accounts remain active when no longer needed or for
an excessive period, these accounts may be used to gain unauthorized access.
To mitigate this risk, automated termination of all temporary accounts
must be set upon account creation.
|
Evaluation messagesinfo
No candidate or applicable check found. |
Set Password Maximum Agexccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs mediumCCE-83606-4
Set Password Maximum Age
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_maximum_age_login_defs:def:1 |
| Time | 2025-09-21T20:22:58-05:00 |
| Severity | medium |
| Identifiers: | CCE-83606-4 |
| References: | | cis-csc | 1, 12, 15, 16, 5 | | cjis | 5.6.2.1 | | cobit5 | DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10 | | cui | 3.5.6 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1 | | ism | 0418, 1055, 1402 | | iso27001-2013 | A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | IA-5(f), IA-5(1)(d), CM-6(a) | | nist-csf | PR.AC-1, PR.AC-6, PR.AC-7 | | pcidss | Req-8.2.4 | | os-srg | SRG-OS-000076-GPOS-00044 | | ccn | A.5.SEC-RHEL5 | | cis | 5.4.1.1 | | pcidss4 | 8.3.9, 8.3 | | stigid | RHEL-09-411010 | | stigref | SV-258041r1038967_rule |
|
| Description | To specify password maximum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MAX_DAYS 60
A value of 180 days is sufficient for many environments.
The DoD requirement is 60.
The profile requirement is 60. |
| Rationale | Any password, no matter how complex, can eventually be cracked. Therefore, passwords
need to be changed periodically. If the operating system does not limit the lifetime
of passwords and force users to change their passwords, there is the risk that the
operating system passwords could be compromised.
Setting the password maximum age ensures users are required to
periodically change their passwords. Requiring shorter password lifetimes
increases the risk of users writing down the password in a convenient
location subject to physical compromise. |
|
|
OVAL test results detailsThe value of PASS_MAX_DAYS should be set appropriately in /etc/login.defs
oval:ssg-test_pass_max_days:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-variable_last_pass_max_days_instance_value:var:1 | 99999 |
Set Password Minimum Agexccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs mediumCCE-83610-6
Set Password Minimum Age
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_minimum_age_login_defs:def:1 |
| Time | 2025-09-21T20:22:58-05:00 |
| Severity | medium |
| Identifiers: | CCE-83610-6 |
| References: | | cis-csc | 1, 12, 15, 16, 5 | | cjis | 5.6.2.1.1 | | cobit5 | DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10 | | cui | 3.5.8 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1 | | ism | 0418, 1055, 1402 | | iso27001-2013 | A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | IA-5(f), IA-5(1)(d), CM-6(a) | | nist-csf | PR.AC-1, PR.AC-6, PR.AC-7 | | os-srg | SRG-OS-000075-GPOS-00043 | | ccn | A.5.SEC-RHEL5 | | cis | 5.4.1.2 | | stigid | RHEL-09-611075 | | stigref | SV-258104r1015104_rule |
|
| Description | To specify password minimum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MIN_DAYS 1
A value of 1 day is considered sufficient for many
environments. The DoD requirement is 1.
The profile requirement is 1. |
| Rationale | Enforcing a minimum password lifetime helps to prevent repeated password
changes to defeat the password reuse or history enforcement requirement. If
users are allowed to immediately and continually change their password,
then the password could be repeatedly changed in a short period of time to
defeat the organization's policy regarding password reuse.
Setting the minimum password age protects against users cycling back to a
favorite password after satisfying the password reuse requirement. |
|
|
OVAL test results detailsThe value of PASS_MIN_DAYS should be set appropriately in /etc/login.defs
oval:ssg-test_pass_min_days:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-variable_last_pass_min_days_instance_value:var:1 | 0 |
Set Existing Passwords Maximum Agexccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing mediumCCE-86031-2
Set Existing Passwords Maximum Age
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_set_max_life_existing:def:1 |
| Time | 2025-09-21T20:22:58-05:00 |
| Severity | medium |
| Identifiers: | CCE-86031-2 |
| References: | |
| Description | Configure non-compliant accounts to enforce a 60-day maximum password lifetime
restriction by running the following command:
$ sudo chage -M 60
USER
|
| Rationale | Any password, no matter how complex, can eventually be cracked. Therefore,
passwords need to be changed periodically. If the operating system does
not limit the lifetime of passwords and force users to change their
passwords, there is the risk that the operating system passwords could be
compromised. |
|
|
OVAL test results detailsCompares a specific field in /etc/shadow with a specific variable value
oval:ssg-test_accounts_password_set_max_life_existing_password_max_life_existing:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/shadow | root:$6$MZ9wcaxzwJNPWHa3$Bm8kXnD5LC3NU6r86A/7TUeOUR/e8lBV1K7/eNGKUxLgCwx1DY3qwehpbf2zLUGLDWr6EAHVPrA6XXCX3nFx80::0:99999:7::: |
| false | /etc/shadow | sysadmin:$6$.oADDomDOt4.sxV0$C/A2/k.arxDRPYi3V7DVffzysG0vrp00dFJ4NfbxrCh5QhqDEit1a48yrrTFX.nvPyYtMNWcfHIGAR/kydv8I/::0:99999:7:::
|
Compares a specific field in /etc/shadow with a specific variable value
oval:ssg-test_accounts_password_set_max_life_existing_password_max_life_existing_minimum:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/shadow | root:$6$MZ9wcaxzwJNPWHa3$Bm8kXnD5LC3NU6r86A/7TUeOUR/e8lBV1K7/eNGKUxLgCwx1DY3qwehpbf2zLUGLDWr6EAHVPrA6XXCX3nFx80::0:99999:7::: |
| true | /etc/shadow | sysadmin:$6$.oADDomDOt4.sxV0$C/A2/k.arxDRPYi3V7DVffzysG0vrp00dFJ4NfbxrCh5QhqDEit1a48yrrTFX.nvPyYtMNWcfHIGAR/kydv8I/::0:99999:7:::
|
Passwords must have the maximum password age set non-empty in /etc/shadow.
oval:ssg-test_accounts_password_set_max_life_existing_password_max_life_not_empty:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_set_max_life_existing_shadow_password_users_max_life_not_existing:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/shadow | ^(?:[^:]*:)(?:[^\!\*:]+:)(?:[^:]*:){2}():(?:[^:]*:){3}(?:[^:]*)$ | 1 |
Set Existing Passwords Minimum Agexccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing mediumCCE-89069-9
Set Existing Passwords Minimum Age
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_set_min_life_existing:def:1 |
| Time | 2025-09-21T20:22:58-05:00 |
| Severity | medium |
| Identifiers: | CCE-89069-9 |
| References: | |
| Description | Configure non-compliant accounts to enforce a 24 hours/1 day minimum password
lifetime by running the following command:
$ sudo chage -m 1 USER
|
| Rationale | Enforcing a minimum password lifetime helps to prevent repeated password
changes to defeat the password reuse or history enforcement requirement. If
users are allowed to immediately and continually change their password, the
password could be repeatedly changed in a short period of time to defeat the
organization's policy regarding password reuse. |
|
|
OVAL test results detailsCompares a specific field in /etc/shadow with a specific variable value
oval:ssg-test_accounts_password_set_min_life_existing_password_max_life_existing:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/shadow | sysadmin:$6$.oADDomDOt4.sxV0$C/A2/k.arxDRPYi3V7DVffzysG0vrp00dFJ4NfbxrCh5QhqDEit1a48yrrTFX.nvPyYtMNWcfHIGAR/kydv8I/::0:99999:7:::
|
| true | /etc/shadow | root:$6$MZ9wcaxzwJNPWHa3$Bm8kXnD5LC3NU6r86A/7TUeOUR/e8lBV1K7/eNGKUxLgCwx1DY3qwehpbf2zLUGLDWr6EAHVPrA6XXCX3nFx80::0:99999:7::: |
Compares a specific field in /etc/shadow with a specific variable value
oval:ssg-test_accounts_password_set_min_life_existing_password_max_life_existing_minimum:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/shadow | sysadmin:$6$.oADDomDOt4.sxV0$C/A2/k.arxDRPYi3V7DVffzysG0vrp00dFJ4NfbxrCh5QhqDEit1a48yrrTFX.nvPyYtMNWcfHIGAR/kydv8I/::0:99999:7:::
|
| false | /etc/shadow | root:$6$MZ9wcaxzwJNPWHa3$Bm8kXnD5LC3NU6r86A/7TUeOUR/e8lBV1K7/eNGKUxLgCwx1DY3qwehpbf2zLUGLDWr6EAHVPrA6XXCX3nFx80::0:99999:7::: |
Passwords must have the maximum password age set non-empty in /etc/shadow.
oval:ssg-test_accounts_password_set_min_life_existing_password_max_life_not_empty:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_set_min_life_existing_shadow_password_users_max_life_not_existing:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/shadow | ^(?:[^:]*:)(?:[^\!\*:]+:)(?:[^:]*:)():(?:[^:]*:){4}(?:[^:]*)$ | 1 |
Verify All Account Password Hashes are Shadowed with SHA512xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512 mediumCCE-89983-1
Verify All Account Password Hashes are Shadowed with SHA512
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512 |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_all_shadowed_sha512:def:1 |
| Time | 2025-09-21T20:22:58-05:00 |
| Severity | medium |
| Identifiers: | CCE-89983-1 |
| References: | | nist | IA-5(1)(c), IA-5(1).1(v), IA-7, IA-7.1 | | os-srg | SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061 | | stigid | RHEL-09-671015 | | stigref | SV-258231r1069375_rule |
|
| Description | Verify the operating system requires the shadow password suite
configuration be set to encrypt interactive user passwords using a strong
cryptographic hash.
Check that the interactive user account passwords are using a strong
password hash with the following command:
$ sudo cut -d: -f2 /etc/shadow
$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/
Password hashes ! or * indicate inactive accounts not
available for logon and are not evaluated.
If any interactive user password hash does not begin with $6,
this is a finding. |
| Rationale | Passwords need to be protected at all times, and encryption is the standard method for
protecting passwords. If passwords are not encrypted, they can be plainly read
(i.e., clear text) and easily compromised. |
OVAL test results detailspassword hashes are shadowed using sha512
oval:ssg-test_accounts_password_all_shadowed_sha512:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_all_shadowed_sha512:obj:1 of type
shadow_object
| Username | Filter | Filter | Filter |
|---|
| .* | oval:ssg-state_accounts_password_all_shadowed_has_no_password:ste:1 | oval:ssg-state_accounts_password_all_shadowed_has_locked_password:ste:1 | oval:ssg-state_accounts_password_all_shadowed_sha512:ste:1 |
Set number of Password Hashing Rounds - password-authxccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth mediumCCE-83615-5
Set number of Password Hashing Rounds - password-auth
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_unix_rounds_password_auth:def:1 |
| Time | 2025-09-21T20:22:58-05:00 |
| Severity | medium |
| Identifiers: | CCE-83615-5 |
| References: | |
| Description | Configure the number or rounds for the password hashing algorithm. This can be
accomplished by using the rounds option for the pam_unix PAM module.
In file /etc/pam.d/password-auth append rounds=100000
to the pam_unix.so entry, as shown below:
password sufficient pam_unix.so ...existing_options... rounds=100000
The system's default number of rounds is 5000. |
| Rationale | Using a higher number of rounds makes password cracking attacks more difficult. |
| Warnings | warning
Setting a high number of hashing rounds makes it more difficult to brute force the password,
but requires more CPU resources to authenticate users. |
|
|
OVAL test results detailsTest if rounds attribute of pam_unix.so is set correctly in /etc/pam.d/password-auth
oval:ssg-test_password_auth_pam_unix_rounds_is_set:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_password_auth_pam_unix_rounds:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/pam.d/password-auth$ | ^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so[^#]*rounds=([0-9]*).*$ | 1 |
Set number of Password Hashing Rounds - system-authxccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth mediumCCE-83621-3
Set number of Password Hashing Rounds - system-auth
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_unix_rounds_system_auth:def:1 |
| Time | 2025-09-21T20:22:58-05:00 |
| Severity | medium |
| Identifiers: | CCE-83621-3 |
| References: | |
| Description | Configure the number or rounds for the password hashing algorithm. This can be
accomplished by using the rounds option for the pam_unix PAM module.
In file /etc/pam.d/system-auth append rounds=100000
to the pam_unix.so entry, as shown below:
password sufficient pam_unix.so ...existing_options... rounds=100000
The system's default number of rounds is 5000. |
| Rationale | Using a higher number of rounds makes password cracking attacks more difficult. |
| Warnings | warning
Setting a high number of hashing rounds makes it more difficult to brute force the password,
but requires more CPU resources to authenticate users. |
|
|
OVAL test results detailsTest if rounds attribute of pam_unix.so is set correctly in /etc/pam.d/system-auth
oval:ssg-test_system_auth_pam_unix_rounds_is_set:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_system_auth_pam_unix_rounds:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/pam.d/system-auth$ | ^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*rounds=([0-9]*).*$ | 1 |
All GIDs referenced in /etc/passwd must be defined in /etc/groupxccdf_org.ssgproject.content_rule_gid_passwd_group_same lowCCE-83613-0
All GIDs referenced in /etc/passwd must be defined in /etc/group
| Rule ID | xccdf_org.ssgproject.content_rule_gid_passwd_group_same |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-gid_passwd_group_same:def:1 |
| Time | 2025-09-21T20:22:58-05:00 |
| Severity | low |
| Identifiers: | CCE-83613-0 |
| References: | | cis-csc | 1, 12, 15, 16, 5 | | cjis | 5.5.2 | | cobit5 | DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1 | | iso27001-2013 | A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3 | | nist | IA-2, CM-6(a) | | nist-csf | PR.AC-1, PR.AC-6, PR.AC-7 | | pcidss | Req-8.5.a | | os-srg | SRG-OS-000104-GPOS-00051 | | cis | 7.2.3 | | pcidss4 | 8.2.2, 8.2 | | stigid | RHEL-09-411045 | | stigref | SV-258048r1069380_rule |
|
| Description | Add a group to the system for each GID referenced without a corresponding group. |
| Rationale | If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group
with the Group Identifier (GID) is subsequently created, the user may have unintended rights to
any files associated with the group. |
OVAL test results detailsVerify all GIDs referenced in /etc/passwd are defined in /etc/group
oval:ssg-test_gid_passwd_group_same:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/passwd | nobody:x:65534:65534: |
| true | /etc/passwd | games:x:12:100: |
| true | /etc/passwd | ftp:x:14:50: |
| true | /etc/passwd | systemd-coredump:x:999:999: |
| true | /etc/passwd | dbus:x:81:81: |
| true | /etc/passwd | polkitd:x:998:998: |
| true | /etc/passwd | avahi:x:70:70: |
| true | /etc/passwd | rtkit:x:172:172: |
| true | /etc/passwd | pipewire:x:997:996: |
| true | /etc/passwd | sssd:x:996:995: |
| true | /etc/passwd | libstoragemgmt:x:994:994: |
| true | /etc/passwd | unbound:x:993:993: |
| true | /etc/passwd | tss:x:59:59: |
| true | /etc/passwd | geoclue:x:992:991: |
| true | /etc/passwd | flatpak:x:991:990: |
| true | /etc/passwd | colord:x:990:989: |
| true | /etc/passwd | stapunpriv:x:159:159: |
| true | /etc/passwd | clevis:x:989:988: |
| true | /etc/passwd | setroubleshoot:x:988:987: |
| true | /etc/passwd | gdm:x:42:42: |
| true | /etc/passwd | gnome-initial-setup:x:987:986: |
| true | /etc/passwd | pesign:x:986:985: |
| true | /etc/passwd | sshd:x:74:74: |
| true | /etc/passwd | chrony:x:985:984: |
| true | /etc/passwd | dnsmasq:x:984:983: |
| true | /etc/passwd | tcpdump:x:72:72: |
| true | /etc/passwd | sysadmin:x:1000:1000: |
| true | /etc/passwd | bin:x:1:1: |
| true | /etc/passwd | operator:x:11:0: |
| true | /etc/passwd | halt:x:7:0: |
| true | /etc/passwd | adm:x:3:4: |
| true | /etc/passwd | root:x:0:0: |
| true | /etc/passwd | daemon:x:2:2: |
| true | /etc/passwd | mail:x:8:12: |
| true | /etc/passwd | sync:x:5:0: |
| true | /etc/passwd | lp:x:4:7: |
| true | /etc/passwd | shutdown:x:6:0: |
Prevent Login to Accounts With Empty Passwordxccdf_org.ssgproject.content_rule_no_empty_passwords highCCE-83611-4
Prevent Login to Accounts With Empty Password
| Rule ID | xccdf_org.ssgproject.content_rule_no_empty_passwords |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_empty_passwords:def:1 |
| Time | 2025-09-21T20:22:58-05:00 |
| Severity | high |
| Identifiers: | CCE-83611-4 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 18, 3, 5 | | cjis | 5.5.2 | | cobit5 | APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10 | | cui | 3.1.1, 3.1.5 | | hipaa | 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii) | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nist | IA-5(1)(a), IA-5(c), CM-6(a) | | nist-csf | PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5 | | ospp | FIA_UAU.1 | | pcidss | Req-8.2.3 | | os-srg | SRG-OS-000480-GPOS-00227 | | cis | 5.3.3.4.1 | | pcidss4 | 8.3.1, 8.3 | | stigid | RHEL-09-611025 | | stigref | SV-258094r1045187_rule |
|
| Description | If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the
nullok in
/etc/pam.d/system-auth and
/etc/pam.d/password-auth
to prevent logins with empty passwords. |
| Rationale | If an account has an empty password, anyone could log in and
run commands with the privileges of that account. Accounts with
empty passwords should never be used in operational environments. |
| Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
Note that this rule is not applicable for systems running within a
container. Having user with empty password within a container is not
considered a risk, because it should not be possible to directly login into
a container anyway. |
|
|
|
OVAL test results detailsmake sure nullok is not used in /etc/pam.d/system-auth
oval:ssg-test_no_empty_passwords:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/pam.d/system-auth |
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_fprintd.so
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok |
| not evaluated | /etc/pam.d/password-auth |
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok |
Ensure There Are No Accounts With Blank or Null Passwordsxccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow highCCE-85972-8
Ensure There Are No Accounts With Blank or Null Passwords
| Rule ID | xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_empty_passwords_etc_shadow:def:1 |
| Time | 2025-09-21T20:22:58-05:00 |
| Severity | high |
| Identifiers: | CCE-85972-8 |
| References: | |
| Description | Check the "/etc/shadow" file for blank passwords with the
following command:
$ sudo awk -F: '!$2 {print $1}' /etc/shadow
If the command returns any results, this is a finding.
Configure all accounts on the system to have a password or lock
the account with the following commands:
Perform a password reset:
$ sudo passwd [username]
Lock an account:
$ sudo passwd -l [username]
|
| Rationale | If an account has an empty password, anyone could log in and
run commands with the privileges of that account. Accounts with
empty passwords should never be used in operational environments. |
| Warnings | warning
Note that this rule is not applicable for systems running within a container. Having user with empty password within a container is not considered a risk, because it should not be possible to directly login into a container anyway. |
OVAL test results detailsmake sure there aren't blank or null passwords in /etc/shadow
oval:ssg-test_no_empty_passwords_etc_shadow:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_no_empty_passwords_etc_shadow:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/shadow | ^[^:]+::.*$ | 1 |
Verify Only Root Has UID 0xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero highCCE-83624-7
Verify Only Root Has UID 0
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_no_uid_except_zero:def:1 |
| Time | 2025-09-21T20:22:58-05:00 |
| Severity | high |
| Identifiers: | CCE-83624-7 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10 | | cui | 3.1.1, 3.1.5 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3 | | nist | IA-2, AC-6(5), IA-4(b) | | nist-csf | PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5 | | pcidss | Req-8.5 | | os-srg | SRG-OS-000480-GPOS-00227 | | cis | 5.4.2.1 | | pcidss4 | 8.2.1, 8.2 | | stigid | RHEL-09-411100 | | stigref | SV-258059r991589_rule |
|
| Description | If any account other than root has a UID of 0, this misconfiguration should
be investigated and the accounts other than root should be removed or have
their UID changed.
If the account is associated with system commands or applications the UID
should be changed to one greater than "0" but less than "1000."
Otherwise assign a UID greater than "1000" that has not already been
assigned. |
| Rationale | An account has root authority if it has a UID of 0. Multiple accounts
with a UID of 0 afford more opportunity for potential intruders to
guess a password for a privileged account. Proper configuration of
sudo is recommended to afford multiple system administrators
access to root privileges in an accountable manner. |
OVAL test results detailstest that there are no accounts with UID 0 except root in the /etc/passwd file
oval:ssg-test_accounts_no_uid_except_root:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_no_uid_except_root:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/passwd | ^(?!root:)[^:]*:[^:]*:0 | 1 |
Ensure that System Accounts Do Not Run a Shell Upon Loginxccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts mediumCCE-83623-9
Ensure that System Accounts Do Not Run a Shell Upon Login
| Rule ID | xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_shelllogin_for_systemaccounts:def:1 |
| Time | 2025-09-21T20:22:58-05:00 |
| Severity | medium |
| Identifiers: | CCE-83623-9 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8 | | cobit5 | DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS06.03 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2 | | ism | 1491 | | iso27001-2013 | A.12.4.1, A.12.4.3, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nist | AC-6, CM-6(a), CM-6(b), CM-6.1(iv) | | nist-csf | DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6 | | os-srg | SRG-OS-000480-GPOS-00227 | | ccn | A.6.SEC-RHEL3 | | cis | 5.4.2.7 | | pcidss4 | 8.2.2, 8.2 | | stigid | RHEL-09-411035 | | stigref | SV-258046r991589_rule |
|
| Description | Some accounts are not associated with a human user of the system, and exist to perform some
administrative functions. Should an attacker be able to log into these accounts, they should
not be granted access to a shell.
The login shell for each local account is stored in the last field of each line in
/etc/passwd. System accounts are those user accounts with a user ID less than
1000. The user ID is stored in the third field. If any system account
other than root has a login shell, disable it with the command:
$ sudo usermod -s /sbin/nologin account
|
| Rationale | Ensuring shells are not given to system accounts upon login makes it more difficult for
attackers to make use of system accounts. |
| Warnings | warning
Do not perform the steps in this section on the root account. Doing so might cause the
system to become inaccessible. |
OVAL test results detailsSYS_UID_MIN not defined in /etc/login.defs
oval:ssg-test_sys_uid_min_not_defined:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/login.defs | #
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
#
# Delay in seconds before being allowed another attempt after a login failure
# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
# pam_unix(8) enforces a 2s delay)
#
#FAIL_DELAY 3
# Currently FAILLOG_ENAB is not supported
#
# Enable display of unknown usernames when login(1) failures are recorded.
#
#LOG_UNKFAIL_ENAB no
# Currently LOG_OK_LOGINS is not supported
# Currently LASTLOG_ENAB is not supported
#
# Limit the highest user ID number for which the lastlog entries should
# be updated.
#
# No LASTLOG_UID_MAX means that there is no user ID limit for writing
# lastlog entries.
#
#LASTLOG_UID_MAX
# Currently MAIL_CHECK_ENAB is not supported
# Currently OBSCURE_CHECKS_ENAB is not supported
# Currently PORTTIME_CHECKS_ENAB is not supported
# Currently QUOTAS_ENAB is not supported
# Currently SYSLOG_SU_ENAB is not supported
#
# Enable "syslog" logging of newgrp(1) and sg(1) activity.
#
#SYSLOG_SG_ENAB yes
# Currently CONSOLE is not supported
# Currently SULOG_FILE is not supported
# Currently MOTD_FILE is not supported
# Currently ISSUE_FILE is not supported
# Currently TTYTYPE_FILE is not supported
# Currently FTMP_FILE is not supported
# Currently NOLOGINS_FILE is not supported
# Currently SU_NAME is not supported
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
#
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
#
# If defined, file which inhibits all the usual chatter during the login
# sequence. If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file. If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
#HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
# Currently ENV_TZ is not supported
# Currently ENV_HZ is not supported
#
# The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
#ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
#ENV_PATH PATH=/bin:/usr/bin
#
# Terminal permissions
#
# TTYGROUP Login tty will be assigned this group ownership.
# TTYPERM Login tty will be set to this permission.
#
# If you have a write(1) program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP as the number of such group
# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
# set TTYPERM to either 622 or 600.
#
#TTYGROUP tty
#TTYPERM 0600
# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK 022
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
HOME_MODE 0700
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
# Currently PASS_MIN_LEN is not supported
# Currently SU_WHEEL_ONLY is not supported
# Currently CRACKLIB_DICTPATH is not supported
#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201 |
SYS_UID_MAX not defined in /etc/login.defs
oval:ssg-test_sys_uid_max_not_defined:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/login.defs | #
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
#
# Delay in seconds before being allowed another attempt after a login failure
# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
# pam_unix(8) enforces a 2s delay)
#
#FAIL_DELAY 3
# Currently FAILLOG_ENAB is not supported
#
# Enable display of unknown usernames when login(1) failures are recorded.
#
#LOG_UNKFAIL_ENAB no
# Currently LOG_OK_LOGINS is not supported
# Currently LASTLOG_ENAB is not supported
#
# Limit the highest user ID number for which the lastlog entries should
# be updated.
#
# No LASTLOG_UID_MAX means that there is no user ID limit for writing
# lastlog entries.
#
#LASTLOG_UID_MAX
# Currently MAIL_CHECK_ENAB is not supported
# Currently OBSCURE_CHECKS_ENAB is not supported
# Currently PORTTIME_CHECKS_ENAB is not supported
# Currently QUOTAS_ENAB is not supported
# Currently SYSLOG_SU_ENAB is not supported
#
# Enable "syslog" logging of newgrp(1) and sg(1) activity.
#
#SYSLOG_SG_ENAB yes
# Currently CONSOLE is not supported
# Currently SULOG_FILE is not supported
# Currently MOTD_FILE is not supported
# Currently ISSUE_FILE is not supported
# Currently TTYTYPE_FILE is not supported
# Currently FTMP_FILE is not supported
# Currently NOLOGINS_FILE is not supported
# Currently SU_NAME is not supported
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
#
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
#
# If defined, file which inhibits all the usual chatter during the login
# sequence. If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file. If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
#HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
# Currently ENV_TZ is not supported
# Currently ENV_HZ is not supported
#
# The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
#ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
#ENV_PATH PATH=/bin:/usr/bin
#
# Terminal permissions
#
# TTYGROUP Login tty will be assigned this group ownership.
# TTYPERM Login tty will be set to this permission.
#
# If you have a write(1) program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP as the number of such group
# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
# set TTYPERM to either 622 or 600.
#
#TTYGROUP tty
#TTYPERM 0600
# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK 022
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
HOME_MODE 0700
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
# Currently PASS_MIN_LEN is not supported
# Currently SU_WHEEL_ONLY is not supported
# Currently CRACKLIB_DICTPATH is not supported
#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201
SYS_UID_MAX 999 |
<0, UID_MIN - 1> system UIDs having shell set
oval:ssg-test_shell_defined_default_uid_range:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/passwd | sysadmin:x:1000:1000:sysadmin:/home/sysadmin:/bin/bash |
SYS_UID_MIN not defined in /etc/login.defs
oval:ssg-test_sys_uid_min_not_defined:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/login.defs | #
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
#
# Delay in seconds before being allowed another attempt after a login failure
# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
# pam_unix(8) enforces a 2s delay)
#
#FAIL_DELAY 3
# Currently FAILLOG_ENAB is not supported
#
# Enable display of unknown usernames when login(1) failures are recorded.
#
#LOG_UNKFAIL_ENAB no
# Currently LOG_OK_LOGINS is not supported
# Currently LASTLOG_ENAB is not supported
#
# Limit the highest user ID number for which the lastlog entries should
# be updated.
#
# No LASTLOG_UID_MAX means that there is no user ID limit for writing
# lastlog entries.
#
#LASTLOG_UID_MAX
# Currently MAIL_CHECK_ENAB is not supported
# Currently OBSCURE_CHECKS_ENAB is not supported
# Currently PORTTIME_CHECKS_ENAB is not supported
# Currently QUOTAS_ENAB is not supported
# Currently SYSLOG_SU_ENAB is not supported
#
# Enable "syslog" logging of newgrp(1) and sg(1) activity.
#
#SYSLOG_SG_ENAB yes
# Currently CONSOLE is not supported
# Currently SULOG_FILE is not supported
# Currently MOTD_FILE is not supported
# Currently ISSUE_FILE is not supported
# Currently TTYTYPE_FILE is not supported
# Currently FTMP_FILE is not supported
# Currently NOLOGINS_FILE is not supported
# Currently SU_NAME is not supported
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
#
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
#
# If defined, file which inhibits all the usual chatter during the login
# sequence. If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file. If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
#HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
# Currently ENV_TZ is not supported
# Currently ENV_HZ is not supported
#
# The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
#ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
#ENV_PATH PATH=/bin:/usr/bin
#
# Terminal permissions
#
# TTYGROUP Login tty will be assigned this group ownership.
# TTYPERM Login tty will be set to this permission.
#
# If you have a write(1) program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP as the number of such group
# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
# set TTYPERM to either 622 or 600.
#
#TTYGROUP tty
#TTYPERM 0600
# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK 022
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
HOME_MODE 0700
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
# Currently PASS_MIN_LEN is not supported
# Currently SU_WHEEL_ONLY is not supported
# Currently CRACKLIB_DICTPATH is not supported
#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201 |
SYS_UID_MAX not defined in /etc/login.defs
oval:ssg-test_sys_uid_max_not_defined:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/login.defs | #
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
#
# Delay in seconds before being allowed another attempt after a login failure
# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
# pam_unix(8) enforces a 2s delay)
#
#FAIL_DELAY 3
# Currently FAILLOG_ENAB is not supported
#
# Enable display of unknown usernames when login(1) failures are recorded.
#
#LOG_UNKFAIL_ENAB no
# Currently LOG_OK_LOGINS is not supported
# Currently LASTLOG_ENAB is not supported
#
# Limit the highest user ID number for which the lastlog entries should
# be updated.
#
# No LASTLOG_UID_MAX means that there is no user ID limit for writing
# lastlog entries.
#
#LASTLOG_UID_MAX
# Currently MAIL_CHECK_ENAB is not supported
# Currently OBSCURE_CHECKS_ENAB is not supported
# Currently PORTTIME_CHECKS_ENAB is not supported
# Currently QUOTAS_ENAB is not supported
# Currently SYSLOG_SU_ENAB is not supported
#
# Enable "syslog" logging of newgrp(1) and sg(1) activity.
#
#SYSLOG_SG_ENAB yes
# Currently CONSOLE is not supported
# Currently SULOG_FILE is not supported
# Currently MOTD_FILE is not supported
# Currently ISSUE_FILE is not supported
# Currently TTYTYPE_FILE is not supported
# Currently FTMP_FILE is not supported
# Currently NOLOGINS_FILE is not supported
# Currently SU_NAME is not supported
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
#
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
#
# If defined, file which inhibits all the usual chatter during the login
# sequence. If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file. If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
#HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
# Currently ENV_TZ is not supported
# Currently ENV_HZ is not supported
#
# The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
#ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
#ENV_PATH PATH=/bin:/usr/bin
#
# Terminal permissions
#
# TTYGROUP Login tty will be assigned this group ownership.
# TTYPERM Login tty will be set to this permission.
#
# If you have a write(1) program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP as the number of such group
# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
# set TTYPERM to either 622 or 600.
#
#TTYGROUP tty
#TTYPERM 0600
# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK 022
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
HOME_MODE 0700
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
# Currently PASS_MIN_LEN is not supported
# Currently SU_WHEEL_ONLY is not supported
# Currently CRACKLIB_DICTPATH is not supported
#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201
SYS_UID_MAX 999 |
<0, SYS_UID_MIN> system UIDs having shell set
oval:ssg-test_shell_defined_reserved_uid_range:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/passwd | sysadmin:x:1000:1000:sysadmin:/home/sysadmin:/bin/bash |
<SYS_UID_MIN, SYS_UID_MAX> system UIDS having shell set
oval:ssg-test_shell_defined_dynalloc_uid_range:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/passwd | sysadmin:x:1000:1000:sysadmin:/home/sysadmin:/bin/bash |
Enforce usage of pam_wheel for su authenticationxccdf_org.ssgproject.content_rule_use_pam_wheel_for_su mediumCCE-90085-2
Enforce usage of pam_wheel for su authentication
| Rule ID | xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-use_pam_wheel_for_su:def:1 |
| Time | 2025-09-21T20:22:58-05:00 |
| Severity | medium |
| Identifiers: | CCE-90085-2 |
| References: | | ospp | FMT_SMF_EXT.1.1 | | os-srg | SRG-OS-000373-GPOS-00156, SRG-OS-000312-GPOS-00123 | | ccn | A.5.SEC-RHEL1 | | stigid | RHEL-09-432035 | | stigref | SV-258088r1050789_rule |
|
| Description | To ensure that only users who are members of the wheel group can
run commands with altered privileges through the su command, make
sure that the following line exists in the file /etc/pam.d/su:
auth required pam_wheel.so use_uid
|
| Rationale | The su program allows to run commands with a substitute user and
group ID. It is commonly used to run commands as the root user. Limiting
access to such command is considered a good security practice. |
| Warnings | warning
Members of "wheel" or GID 0 groups are checked by default if the group option is not set
for pam_wheel.so module. Therefore, members of these groups should be manually checked or
a different group should be informed according to the site policy. |
|
|
OVAL test results detailscheck existence of use_uid option for pam_wheel.so in /etc/pam.d/su
oval:ssg-test_use_pam_wheel_for_su:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_use_pam_wheel_for_su:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/pam.d/su | ^[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+\buse_uid\b | 1 |
Ensure All Accounts on the System Have Unique User IDsxccdf_org.ssgproject.content_rule_account_unique_id mediumCCE-88493-2
Ensure All Accounts on the System Have Unique User IDs
| Rule ID | xccdf_org.ssgproject.content_rule_account_unique_id |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-account_unique_id:def:1 |
| Time | 2025-09-21T20:22:58-05:00 |
| Severity | medium |
| Identifiers: | CCE-88493-2 |
| References: | |
| Description | Change user IDs (UIDs), or delete accounts, so each has a unique name. |
| Rationale | To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. |
| Warnings | warning
Automatic remediation of this control is not available due to unique requirements of each
system. |
OVAL test results detailsThere should not exist duplicate user ids in /etc/passwd
oval:ssg-test_etc_passwd_no_duplicate_user_ids:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-variable_count_of_all_uids:var:1 | 37 |
Only Authorized Local User Accounts Exist on Operating Systemxccdf_org.ssgproject.content_rule_accounts_authorized_local_users mediumCCE-88048-4
Only Authorized Local User Accounts Exist on Operating System
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_authorized_local_users |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_authorized_local_users:def:1 |
| Time | 2025-09-21T20:22:58-05:00 |
| Severity | medium |
| Identifiers: | CCE-88048-4 |
| References: | |
| Description | Enterprise Application tends to use the server or virtual machine exclusively.
Besides the default operating system user, there should be only authorized local
users required by the installed software groups and applications that exist on
the operating system. The authorized user list can be customized in the refine
value variable var_accounts_authorized_local_users_regex.
OVAL regular expression is used for the user list.
Configure the system so all accounts on the system are assigned to an active system,
application, or user account. Remove accounts that do not support approved system
activities or that allow for a normal user to perform administrative-level actions.
To remove unauthorized system accounts, use the following command:
$ sudo userdel unauthorized_user
|
| Rationale | Accounts providing no operational purpose provide additional opportunities for
system compromise. Unnecessary accounts include user accounts for individuals not
requiring access to the system and application accounts for applications not installed
on the system. |
| Warnings | warning
Automatic remediation of this control is not available due to the unique
requirements of each system. |
OVAL test results detailsquery /etc/passwd
oval:ssg-test_accounts_authorized_local_users:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/passwd | shutdown: |
| true | /etc/passwd | halt: |
| true | /etc/passwd | mail: |
| true | /etc/passwd | operator: |
| true | /etc/passwd | sssd: |
| true | /etc/passwd | libstoragemgmt: |
| false | /etc/passwd | unbound: |
| true | /etc/passwd | tss: |
| true | /etc/passwd | geoclue: |
| true | /etc/passwd | flatpak: |
| true | /etc/passwd | colord: |
| false | /etc/passwd | stapunpriv: |
| true | /etc/passwd | clevis: |
| true | /etc/passwd | setroubleshoot: |
| true | /etc/passwd | gdm: |
| true | /etc/passwd | gnome-initial-setup: |
| false | /etc/passwd | pesign: |
| true | /etc/passwd | sshd: |
| true | /etc/passwd | chrony: |
| true | /etc/passwd | dnsmasq: |
| true | /etc/passwd | tcpdump: |
| false | /etc/passwd | sysadmin: |
| true | /etc/passwd | games: |
| true | /etc/passwd | ftp: |
| true | /etc/passwd | nobody: |
| true | /etc/passwd | systemd-coredump: |
| true | /etc/passwd | dbus: |
| true | /etc/passwd | polkitd: |
| true | /etc/passwd | avahi: |
| true | /etc/passwd | rtkit: |
| true | /etc/passwd | pipewire: |
| true | /etc/passwd | sync: |
| true | /etc/passwd | bin: |
| true | /etc/passwd | adm: |
| true | /etc/passwd | daemon: |
| true | /etc/passwd | lp: |
Ensure All Groups on the System Have Unique Group IDxccdf_org.ssgproject.content_rule_group_unique_id mediumCCE-86043-7
Ensure All Groups on the System Have Unique Group ID
| Rule ID | xccdf_org.ssgproject.content_rule_group_unique_id |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-group_unique_id:def:1 |
| Time | 2025-09-21T20:22:58-05:00 |
| Severity | medium |
| Identifiers: | CCE-86043-7 |
| References: | |
| Description | Change the group name or delete groups, so each has a unique id. |
| Rationale | To assure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system. |
| Warnings | warning
Automatic remediation of this control is not available due to the unique requirements of each system. |
OVAL test results detailsThere should not exist duplicate group ids in /etc/passwd
oval:ssg-test_etc_group_no_duplicate_group_ids:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-variable_count_of_all_group_ids:var:1 | 62 |
Ensure the Default Bash Umask is Set Correctlyxccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc mediumCCE-83644-5
Ensure the Default Bash Umask is Set Correctly
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_umask_etc_bashrc:def:1 |
| Time | 2025-09-21T20:24:33-05:00 |
| Severity | medium |
| Identifiers: | CCE-83644-5 |
| References: | | cis-csc | 18 | | cobit5 | APO13.01, BAI03.01, BAI03.02, BAI03.03 | | isa-62443-2009 | 4.3.4.3.3 | | iso27001-2013 | A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | AC-6(1), CM-6(a) | | nist-csf | PR.IP-2 | | os-srg | SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227 | | anssi | R36 | | ccn | A.6.SEC-RHEL5 | | cis | 5.4.3.3 | | stigid | RHEL-09-412055 | | stigref | SV-258072r1045155_rule |
|
| Description | To ensure the default umask for users of the Bash shell is set properly,
add or correct the umask setting in /etc/bashrc to read
as follows:
umask 077
|
| Rationale | The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users. |
|
|
OVAL test results detailsVerify the existence of var_accounts_user_umask_as_number variable
oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| not evaluated | oval:ssg-var_accounts_user_umask_umask_as_number:var:1 | 63 |
Test the retrieved /etc/bashrc umask value(s) match the var_accounts_user_umask requirement
oval:ssg-tst_accounts_umask_etc_bashrc:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-var_etc_bashrc_umask_as_number:var:1 | 18 |
Ensure the Default C Shell Umask is Set Correctlyxccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc mediumCCE-87721-7
Ensure the Default C Shell Umask is Set Correctly
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_umask_etc_csh_cshrc:def:1 |
| Time | 2025-09-21T20:24:33-05:00 |
| Severity | medium |
| Identifiers: | CCE-87721-7 |
| References: | | cis-csc | 18 | | cobit5 | APO13.01, BAI03.01, BAI03.02, BAI03.03 | | isa-62443-2009 | 4.3.4.3.3 | | iso27001-2013 | A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | AC-6(1), CM-6(a) | | nist-csf | PR.IP-2 | | os-srg | SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-412060 | | stigref | SV-258073r1045157_rule |
|
| Description | To ensure the default umask for users of the C shell is set properly,
add or correct the umask setting in /etc/csh.cshrc to read as follows:
umask 077
|
| Rationale | The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users. |
|
|
OVAL test results detailsVerify the existence of var_accounts_user_umask_as_number variable
oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| not evaluated | oval:ssg-var_accounts_user_umask_umask_as_number:var:1 | 63 |
Test the retrieved /etc/csh.cshrc umask value(s) match the var_accounts_user_umask requirement
oval:ssg-tst_accounts_umask_etc_csh_cshrc:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-var_etc_csh_cshrc_umask_as_number:var:1 | 18 |
Ensure the Default Umask is Set Correctly in login.defsxccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs mediumCCE-83647-8
Ensure the Default Umask is Set Correctly in login.defs
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_umask_etc_login_defs:def:1 |
| Time | 2025-09-21T20:24:33-05:00 |
| Severity | medium |
| Identifiers: | CCE-83647-8 |
| References: | | cis-csc | 11, 18, 3, 9 | | cobit5 | APO13.01, BAI03.01, BAI03.02, BAI03.03, BAI10.01, BAI10.02, BAI10.03, BAI10.05 | | isa-62443-2009 | 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.1.1, A.14.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.5, A.6.1.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | AC-6(1), CM-6(a) | | nist-csf | PR.IP-1, PR.IP-2 | | os-srg | SRG-OS-000480-GPOS-00228 | | anssi | R36 | | ccn | A.6.SEC-RHEL5 | | cis | 5.4.3.3 | | stigid | RHEL-09-412065 | | stigref | SV-258074r991590_rule |
|
| Description | To ensure the default umask controlled by /etc/login.defs is set properly,
add or correct the UMASK setting in /etc/login.defs to read as follows:
UMASK 077
|
| Rationale | The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read and
written to by unauthorized users. |
|
|
OVAL test results detailsVerify the existence of var_accounts_user_umask_as_number variable
oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| not evaluated | oval:ssg-var_accounts_user_umask_umask_as_number:var:1 | 63 |
Test the retrieved /etc/login.defs umask value(s) match the var_accounts_user_umask requirement
oval:ssg-tst_accounts_umask_etc_login_defs:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-var_etc_login_defs_umask_as_number:var:1 | 18 |
Ensure the Default Umask is Set Correctly in /etc/profilexccdf_org.ssgproject.content_rule_accounts_umask_etc_profile mediumCCE-90828-5
Ensure the Default Umask is Set Correctly in /etc/profile
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_umask_etc_profile:def:1 |
| Time | 2025-09-21T20:24:33-05:00 |
| Severity | medium |
| Identifiers: | CCE-90828-5 |
| References: | | cis-csc | 18 | | cobit5 | APO13.01, BAI03.01, BAI03.02, BAI03.03 | | isa-62443-2009 | 4.3.4.3.3 | | iso27001-2013 | A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | AC-6(1), CM-6(a) | | nist-csf | PR.IP-2 | | os-srg | SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227 | | anssi | R36 | | ccn | A.6.SEC-RHEL5 | | cis | 5.4.3.3 | | stigid | RHEL-09-412070 | | stigref | SV-258075r991590_rule |
|
| Description | To ensure the default umask controlled by /etc/profile is set properly,
add or correct the umask setting in /etc/profile to read as follows:
umask 077
Note that /etc/profile also reads scrips within /etc/profile.d directory.
These scripts are also valid files to set umask value. Therefore, they should also be
considered during the check and properly remediated, if necessary. |
| Rationale | The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users. |
|
|
OVAL test results detailsVerify the existence of var_accounts_user_umask_as_number variable
oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| not evaluated | oval:ssg-var_accounts_user_umask_umask_as_number:var:1 | 63 |
umask value(s) from profile configuration files match the requirement
oval:ssg-tst_accounts_umask_etc_profile:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_accounts_umask_etc_profile:obj:1 of type
variable_object
| Var ref |
|---|
| oval:ssg-var_etc_profile_umask_as_number:var:1 |
Ensure the Default Umask is Set Correctly For Interactive Usersxccdf_org.ssgproject.content_rule_accounts_umask_interactive_users mediumCCE-90365-8
Ensure the Default Umask is Set Correctly For Interactive Users
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_umask_interactive_users:def:1 |
| Time | 2025-09-21T20:24:33-05:00 |
| Severity | medium |
| Identifiers: | CCE-90365-8 |
| References: | | os-srg | SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00228 | | stigid | RHEL-09-411025 | | stigref | SV-258044r1045135_rule |
|
| Description | Remove the UMASK environment variable from all interactive users initialization files. |
| Rationale | The umask controls the default access mode assigned to newly created files. A
umask of 077 limits new files to mode 700 or less permissive. Although umask can
be represented as a four-digit number, the first digit representing special
access modes is typically ignored or required to be 0. This requirement
applies to the globally configured system defaults and the local interactive
user defaults for each account on the system. |
OVAL test results detailsUmask must not be defined in user initialization files
oval:ssg-test_accounts_umask_interactive_users:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_umask_interactive_users:obj:1 of type
textfilecontent54_object
| Behaviors | Path | Filename | Pattern | Instance | Filter |
|---|
| ^(?:sysadmin):(?:[^:]*:){4}([^:]+):[^:]*$ | | /home/sysadmin |
| no value | ^\..* | ^[\s]*umask\s* | 1 | oval:ssg-state_accounts_umask_interactive_users_bash_history:ste:1 |
Ensure Home Directories are Created for New Usersxccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs mediumCCE-88983-2
Ensure Home Directories are Created for New Users
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_have_homedir_login_defs:def:1 |
| Time | 2025-09-21T20:22:58-05:00 |
| Severity | medium |
| Identifiers: | CCE-88983-2 |
| References: | |
| Description | All local interactive user accounts, upon creation, should be assigned a home directory.
Configure the operating system to assign home directories to all new local interactive users by setting the CREATE_HOME
parameter in /etc/login.defs to yes as follows:
CREATE_HOME yes
|
| Rationale | If local interactive users are not assigned a valid home directory, there is no place
for the storage and control of files they should own. |
OVAL test results detailsCheck value of CREATE_HOME in /etc/login.defs
oval:ssg-test_accounts_have_homedir_login_defs:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/login.defs | CREATE_HOME yes
# |
Ensure the Logon Failure Delay is Set Correctly in login.defsxccdf_org.ssgproject.content_rule_accounts_logon_fail_delay mediumCCE-83635-3
Ensure the Logon Failure Delay is Set Correctly in login.defs
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_logon_fail_delay:def:1 |
| Time | 2025-09-21T20:22:58-05:00 |
| Severity | medium |
| Identifiers: | CCE-83635-3 |
| References: | | cis-csc | 11, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05 | | isa-62443-2009 | 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4 | | nist | AC-7(b), CM-6(a) | | nist-csf | PR.IP-1 | | os-srg | SRG-OS-000480-GPOS-00226 | | stigid | RHEL-09-412050 | | stigref | SV-258071r991588_rule |
|
| Description | To ensure the logon failure delay controlled by /etc/login.defs is set properly,
add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows:
FAIL_DELAY 4
|
| Rationale | Increasing the time between a failed authentication attempt and re-prompting to
enter credentials helps to slow a single-threaded brute force attack. |
|
|
OVAL test results detailscheck FAIL_DELAY in /etc/login.defs
oval:ssg-test_accounts_logon_fail_delay:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_logon_fail_delay:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/login.defs | ^[\s]*(?i)FAIL_DELAY(?-i)[\s]+([^#\s]*) | 1 |
Limit the Number of Concurrent Login Sessions Allowed Per Userxccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions lowCCE-83641-1
Limit the Number of Concurrent Login Sessions Allowed Per User
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_max_concurrent_login_sessions:def:1 |
| Time | 2025-09-21T20:22:58-05:00 |
| Severity | low |
| Identifiers: | CCE-83641-1 |
| References: | | cis-csc | 14, 15, 18, 9 | | cjis | 5.5.2.2 | | cobit5 | DSS01.05, DSS05.02 | | isa-62443-2009 | 4.3.3.4 | | isa-62443-2013 | SR 3.1, SR 3.8 | | iso27001-2013 | A.13.1.1, A.13.1.3, A.13.2.1, A.14.1.2, A.14.1.3 | | nerc-cip | CIP-007-3 R5.1, CIP-007-3 R5.1.2 | | nist | AC-10, CM-6(a) | | nist-csf | PR.AC-5 | | os-srg | SRG-OS-000027-GPOS-00008 | | stigid | RHEL-09-412040 | | stigref | SV-258069r958398_rule |
|
| Description | Limiting the number of allowed users and sessions per user can limit risks related to Denial of
Service attacks. This addresses concurrent sessions for a single account and does not address
concurrent sessions by a single user via multiple accounts. To set the number of concurrent
sessions per user add the following line in /etc/security/limits.conf or
a file under /etc/security/limits.d/:
* hard maxlogins 10
|
| Rationale | Limiting simultaneous user logins can insulate the system from denial of service
problems caused by excessive logins. Automated login processes operating improperly or
maliciously may result in an exceptional number of simultaneous login sessions. |
|
|
OVAL test results detailsthe value maxlogins should be set appropriately in /etc/security/limits.d/*.conf
oval:ssg-test_limitsd_maxlogins:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_security_limitsd_conf_maxlogins:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/security/limits.d | ^.*\.conf$ | ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins[\s]+(\d+)\s*$ | 1 |
the value maxlogins should be set appropriately in /etc/security/limits.d/*.conf
oval:ssg-test_limitsd_maxlogins_exists:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_security_limitsd_conf_maxlogins_exists:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/security/limits.d | ^.*\.conf$ | ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins | 1 |
the value maxlogins should be set appropriately in /etc/security/limits.conf
oval:ssg-test_maxlogins:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_security_limits_conf_maxlogins:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/security/limits.conf | ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins[\s]+(\d+)\s*$ | 1 |
Set Interactive Session Timeoutxccdf_org.ssgproject.content_rule_accounts_tmout mediumCCE-83633-8
Set Interactive Session Timeout
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_tmout |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_tmout:def:1 |
| Time | 2025-09-21T20:22:58-05:00 |
| Severity | medium |
| Identifiers: | CCE-83633-8 |
| References: | | cis-csc | 1, 12, 15, 16 | | cobit5 | DSS05.04, DSS05.10, DSS06.10 | | cui | 3.1.11 | | isa-62443-2009 | 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9 | | iso27001-2013 | A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3 | | nerc-cip | CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3 | | nist | AC-12, SC-10, AC-2(5), CM-6(a) | | nist-csf | PR.AC-7 | | os-srg | SRG-OS-000163-GPOS-00072, SRG-OS-000029-GPOS-00010 | | anssi | R32 | | ccn | A.5.SEC-RHEL8 | | cis | 5.4.3.2 | | pcidss4 | 8.6.1, 8.6 | | stigid | RHEL-09-412035 | | stigref | SV-258068r1069388_rule |
|
| Description | Setting the TMOUT option in /etc/profile ensures that
all user sessions will terminate based on inactivity.
The value of TMOUT should be exported and read only.
The TMOUT
setting in a file loaded by /etc/profile, e.g.
/etc/profile.d/tmout.sh should read as follows:
typeset -xr TMOUT=600
or
declare -xr TMOUT=600
Using the typeset keyword is preferred for wider compatibility with ksh and other shells. |
| Rationale | Terminating an idle session within a short time period reduces
the window of opportunity for unauthorized personnel to take control of a
management session enabled on the console or console port that has been
left unattended. |
|
|
OVAL test results detailsTMOUT in /etc/profile
oval:ssg-test_etc_profile_tmout:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_profile_tmout:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/profile | ^[\s]*(?:typeset|declare)[\s]+-xr[\s]+TMOUT=([\w$]+).*$ | 1 |
TMOUT in /etc/profile.d/*.sh
oval:ssg-test_etc_profiled_tmout:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_profiled_tmout:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/profile.d | ^.*\.sh$ | ^[\s]*(?:typeset|declare)[\s]+-xr[\s]+TMOUT=([\w$]+).*$ | 1 |
Check that at least one TMOUT is defined
oval:ssg-test_accounts_tmout_defined:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_tmout_defined:obj:1 of type
variable_object
| Var ref |
|---|
| oval:ssg-variable_count_of_tmout_instances:var:1 |
User Initialization Files Must Not Run World-Writable Programsxccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs mediumCCE-87451-1
User Initialization Files Must Not Run World-Writable Programs
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_user_dot_no_world_writable_programs:def:1 |
| Time | 2025-09-21T20:24:33-05:00 |
| Severity | medium |
| Identifiers: | CCE-87451-1 |
| References: | |
| Description | Set the mode on files being executed by the user initialization files with the
following command:
$ sudo chmod o-w FILE
|
| Rationale | If user start-up files execute world-writable programs, especially in
unprotected directories, they could be maliciously modified to destroy user
files or otherwise compromise the system at the user level. If the system is
compromised at the user level, it is easier to elevate privileges to eventually
compromise the system at the root and network level. |
OVAL test results detailsInit files do not execute world-writable programs
oval:ssg-test_accounts_user_dot_no_world_writable_programs:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_user_dot_no_world_writable_programs_init_files:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| ^\.[\w\- ]+$ | | /home/sysadmin | Referenced variable has no values (oval:ssg-var_world_writable_programs_regex:var:1). | 1 |
Ensure that Users Path Contains Only Local Directoriesxccdf_org.ssgproject.content_rule_accounts_user_home_paths_only mediumCCE-87487-5
Ensure that Users Path Contains Only Local Directories
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_user_home_paths_only |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:24:33-05:00 |
| Severity | medium |
| Identifiers: | CCE-87487-5 |
| References: | |
| Description | Ensure that all interactive user initialization files executable search
path statements do not contain statements that will reference a working
directory other than the users home directory. |
| Rationale | The executable search path (typically the PATH environment variable) contains a
list of directories for the shell to search to find executables. If this path
includes the current working directory (other than the users home directory),
executables in these directories may be executed instead of system commands.
This variable is formatted as a colon-separated list of directories. If there is
an empty entry, such as a leading or trailing colon or two consecutive colons,
this is interpreted as the current working directory. If deviations from the
default system search path for the local interactive user are required, they
must be documented with the Information System Security Officer (ISSO). |
Evaluation messagesinfo
No candidate or applicable check found. |
All Interactive Users Must Have A Home Directory Definedxccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined mediumCCE-88964-2
All Interactive Users Must Have A Home Directory Defined
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_user_interactive_home_directory_defined:def:1 |
| Time | 2025-09-21T20:24:33-05:00 |
| Severity | medium |
| Identifiers: | CCE-88964-2 |
| References: | |
| Description | Assign home directories to all interactive users that currently do not
have a home directory assigned.
This rule checks if the home directory is properly defined in a folder which has
at least one parent folder, like "user" in "/home/user" or "/remote/users/user".
Therefore, this rule will report a finding for home directories like /users,
/tmp or /. |
| Rationale | If local interactive users are not assigned a valid home directory, there is no
place for the storage and control of files they should own. |
OVAL test results detailsAll Interactive Users Have A Home Directory Defined
oval:ssg-test_accounts_user_interactive_home_directory_defined:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Username | Password | User id | Group id | Gcos | Home dir | Login shell | Last login |
|---|
| true | sysadmin | x | 1000 | 1000 | sysadmin | /home/sysadmin | /bin/bash | 1758428993 |
All Interactive Users Home Directories Must Existxccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists mediumCCE-83639-5
All Interactive Users Home Directories Must Exist
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_user_interactive_home_directory_exists:def:1 |
| Time | 2025-09-21T20:24:33-05:00 |
| Severity | medium |
| Identifiers: | CCE-83639-5 |
| References: | |
| Description | Create home directories to all local interactive users that currently do not
have a home directory assigned. Use the following commands to create the user
home directory assigned in /etc/passwd:
$ sudo mkdir /home/USER
|
| Rationale | If a local interactive user has a home directory defined that does not exist,
the user may be given access to the / directory as the current working directory
upon logon. This could create a Denial of Service because the user would not be
able to access their logon configuration files, and it may give them visibility
to system files they normally would not be able to access. |
OVAL test results detailsCheck the existence of interactive users.
oval:ssg-test_accounts_user_interactive_home_directory_exists:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-var_accounts_user_interactive_home_directory_exists_dirs_count_fs:var:1 | 1 |
Check the existence of interactive users.
oval:ssg-test_accounts_user_interactive_home_directory_exists_users:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| not evaluated | oval:ssg-var_accounts_user_interactive_home_directory_exists_dirs_count:var:1 | 1 |
All Interactive User Home Directories Must Be Group-Owned By The Primary Groupxccdf_org.ssgproject.content_rule_file_groupownership_home_directories mediumCCE-83629-6
All Interactive User Home Directories Must Be Group-Owned By The Primary Group
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupownership_home_directories |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupownership_home_directories:def:1 |
| Time | 2025-09-21T20:24:33-05:00 |
| Severity | medium |
| Identifiers: | CCE-83629-6 |
| References: | |
| Description | Change the group owner of interactive users home directory to the
group found in /etc/passwd. To change the group owner of
interactive users home directory, use the following command:
$ sudo chgrp USER_GROUP /home/USER
This rule ensures every home directory related to an interactive user is
group-owned by an interactive user. It also ensures that interactive users
are group-owners of one and only one home directory. |
| Rationale | If the Group Identifier (GID) of a local interactive users home directory is
not the same as the primary GID of the user, this would allow unauthorized
access to the users files, and users that share the same group may not be
able to access files that they legitimately should. |
| Warnings | warning
Due to OVAL limitation, this rule can report a false negative in a
specific situation where two interactive users swap the group-ownership
of their respective home directories. |
OVAL test results detailsAll home directories are group-owned by a local interactive group
oval:ssg-test_file_groupownership_home_directories:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|
| true | /home/sysadmin/ | directory | 1000 | 1000 | 4096 | rwx------ |
Ensure All User Initialization Files Have Mode 0740 Or Less Permissivexccdf_org.ssgproject.content_rule_file_permission_user_init_files_root mediumCCE-87087-3
Ensure All User Initialization Files Have Mode 0740 Or Less Permissive
| Rule ID | xccdf_org.ssgproject.content_rule_file_permission_user_init_files_root |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permission_user_init_files_root:def:1 |
| Time | 2025-09-21T20:24:33-05:00 |
| Severity | medium |
| Identifiers: | CCE-87087-3 |
| References: | |
| Description | Set the mode of the user initialization files, including the root user,
to 0740 with the following commands:
$ sudo chmod 0740 /root/.INIT_FILE
$ sudo chmod 0740 /home/USER/.INIT_FILE
|
| Rationale | Local initialization files are used to configure the user's shell environment
upon logon. Malicious modification of these files could compromise accounts upon
logon. |
|
|
OVAL test results detailsInit files have mode 0740 or less permissive
oval:ssg-test_file_permission_user_init_files_root:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|
| true | /root/.lesshst | regular | 0 | 0 | 20 | rw------- |
| false | /root/.cshrc | regular | 0 | 0 | 100 | rw-r--r-- |
| false | /home/sysadmin/.bash_logout | regular | 1000 | 1000 | 18 | rw-r--r-- |
| false | /home/sysadmin/.bash_profile | regular | 1000 | 1000 | 141 | rw-r--r-- |
| false | /home/sysadmin/.bashrc | regular | 1000 | 1000 | 492 | rw-r--r-- |
| false | /home/sysadmin/.zshrc | regular | 1000 | 1000 | 658 | rw-r--r-- |
| true | /home/sysadmin/.bash_history | regular | 1000 | 1000 | 82 | rw------- |
| false | /root/.bash_profile | regular | 0 | 0 | 141 | rw-r--r-- |
| false | /root/.tcshrc | regular | 0 | 0 | 129 | rw-r--r-- |
| false | /root/.bashrc | regular | 0 | 0 | 429 | rw-r--r-- |
| true | /root/.bash_history | regular | 0 | 0 | 3397 | rw------- |
| false | /root/.bash_logout | regular | 0 | 0 | 18 | rw-r--r-- |
All Interactive User Home Directories Must Have mode 0750 Or Less Permissivexccdf_org.ssgproject.content_rule_file_permissions_home_directories mediumCCE-83634-6
All Interactive User Home Directories Must Have mode 0750 Or Less Permissive
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_home_directories |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_home_directories:def:1 |
| Time | 2025-09-21T20:24:33-05:00 |
| Severity | medium |
| Identifiers: | CCE-83634-6 |
| References: | |
| Description | Change the mode of interactive users home directories to 0750. To
change the mode of interactive users home directory, use the
following command:
$ sudo chmod 0750 /home/USER
|
| Rationale | Excessive permissions on local interactive user home directories may allow
unauthorized access to user files by other users. |
OVAL test results detailsAll home directories have proper permissions
oval:ssg-test_file_permissions_home_directories:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|
| true | /home/sysadmin/ | directory | 1000 | 1000 | 4096 | rwx------ |
Enable authselectxccdf_org.ssgproject.content_rule_enable_authselect mediumCCE-89732-2
Enable authselect
| Rule ID | xccdf_org.ssgproject.content_rule_enable_authselect |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-enable_authselect:def:1 |
| Time | 2025-09-21T20:22:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-89732-2 |
| References: | | hipaa | 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii) | | nist | AC-3 | | ospp | FIA_UAU.1, FIA_AFL.1 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R31 | | ccn | enable_authselect | | cis | enable_authselect | | pcidss4 | 8.3.4, 8.3 | | stigid | needed_rules |
|
| Description | Configure user authentication setup to use the authselect tool.
If authselect profile is selected, the rule will enable the sssd profile. |
| Rationale | Authselect is a successor to authconfig.
It is a tool to select system authentication and identity sources from a list of supported
profiles instead of letting the administrator manually build the PAM stack.
That way, it avoids potential breakage of configuration, as it ships several tested profiles
that are well tested and supported to solve different use-cases. |
| Warnings | warning
If the sudo authselect select command returns an error informing that the chosen
profile cannot be selected, it is probably because PAM files have already been modified by
the administrator. If this is the case, in order to not overwrite the desired changes made
by the administrator, the current PAM settings should be investigated before forcing the
selection of the chosen authselect profile. |
OVAL test results detailsThe 'fingerprint-auth' PAM config is a symlink to its authselect counterpart
oval:ssg-test_pam_fingerprint_symlinked_to_authselect:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Filepath | Canonical path |
|---|
| true | /etc/pam.d/fingerprint-auth | /etc/authselect/fingerprint-auth |
The 'password-auth' PAM config is a symlink to its authselect counterpart
oval:ssg-test_pam_password_symlinked_to_authselect:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Filepath | Canonical path |
|---|
| true | /etc/pam.d/password-auth | /etc/authselect/password-auth |
The 'postlogin' PAM config is a symlink to its authselect counterpart
oval:ssg-test_pam_postlogin_symlinked_to_authselect:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Filepath | Canonical path |
|---|
| true | /etc/pam.d/postlogin | /etc/authselect/postlogin |
The 'smartcard-auth' PAM config is a symlink to its authselect counterpart
oval:ssg-test_pam_smartcard_symlinked_to_authselect:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Filepath | Canonical path |
|---|
| true | /etc/pam.d/smartcard-auth | /etc/authselect/smartcard-auth |
The 'system-auth' PAM config is a symlink to its authselect counterpart
oval:ssg-test_pam_system_symlinked_to_authselect:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Filepath | Canonical path |
|---|
| true | /etc/pam.d/system-auth | /etc/authselect/system-auth |
Verify /boot/grub2/grub.cfg Group Ownershipxccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg mediumCCE-83848-2
Verify /boot/grub2/grub.cfg Group Ownership
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_grub2_cfg:def:1 |
| Time | 2025-09-21T20:24:33-05:00 |
| Severity | medium |
| Identifiers: | CCE-83848-2 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cjis | 5.5.2.2 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | cui | 3.4.5 | | hipaa | 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii) | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | pcidss | Req-7.1 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R29 | | ccn | A.6.SEC-RHEL2 | | cis | 1.4.2 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-212025 | | stigref | SV-257790r991589_rule |
|
| Description | The file /boot/grub2/grub.cfg should
be group-owned by the root group to prevent
destruction or modification of the file.
To properly set the group owner of /boot/grub2/grub.cfg, run the command:
$ sudo chgrp root /boot/grub2/grub.cfg
|
| Rationale | The root group is a highly-privileged group. Furthermore, the group-owner of this
file should not have any access privileges anyway. |
OVAL test results detailsTesting group ownership of /boot/grub2/grub.cfg
oval:ssg-test_file_groupowner_grub2_cfg_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_grub2_cfg_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /boot/grub2/grub.cfg | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupowner_grub2_cfg_0_0:ste:1 |
Verify /boot/grub2/grub.cfg User Ownershipxccdf_org.ssgproject.content_rule_file_owner_grub2_cfg mediumCCE-83845-8
Verify /boot/grub2/grub.cfg User Ownership
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_grub2_cfg:def:1 |
| Time | 2025-09-21T20:24:33-05:00 |
| Severity | medium |
| Identifiers: | CCE-83845-8 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cjis | 5.5.2.2 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | cui | 3.4.5 | | hipaa | 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii) | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | pcidss | Req-7.1 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R29 | | ccn | A.6.SEC-RHEL2 | | cis | 1.4.2 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-212030 | | stigref | SV-257791r991589_rule |
|
| Description | The file /boot/grub2/grub.cfg should
be owned by the root user to prevent destruction
or modification of the file.
To properly set the owner of /boot/grub2/grub.cfg, run the command:
$ sudo chown root /boot/grub2/grub.cfg
|
| Rationale | Only root should be able to modify important boot parameters. |
OVAL test results detailsTesting user ownership of /boot/grub2/grub.cfg
oval:ssg-test_file_owner_grub2_cfg_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_grub2_cfg_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /boot/grub2/grub.cfg | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_owner_grub2_cfg_0_0:ste:1 |
Set the Boot Loader Admin Username to a Non-Default Valuexccdf_org.ssgproject.content_rule_grub2_admin_username highCCE-87370-3
Set the Boot Loader Admin Username to a Non-Default Value
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_admin_username |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_admin_username:def:1 |
| Time | 2025-09-21T20:24:33-05:00 |
| Severity | high |
| Identifiers: | CCE-87370-3 |
| References: | | cis-csc | 1, 11, 12, 14, 15, 16, 18, 3, 5 | | cobit5 | DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10 | | cui | 3.4.5 | | hipaa | 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii) | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7 | | iso27001-2013 | A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nist | CM-6(a) | | nist-csf | PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3 | | os-srg | SRG-OS-000080-GPOS-00048 | | stigid | RHEL-09-212020 | | stigref | SV-257789r1069356_rule |
|
| Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
To maximize the protection, select a password-protected superuser account with unique name, and modify the
/etc/grub.d/01_users configuration file to reflect the account name change.
Do not to use common administrator account names like root,
admin, or administrator for the grub2 superuser account.
Change the superuser to a different username (The default is 'root').
$ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users
The line mentioned above must be followed by the line
export superusers
so that the superusers is honored.
Once the superuser account has been added,
update the
grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub.cfg
|
| Rationale | Having a non-default grub superuser username makes password-guessing attacks less effective. |
| Warnings | warning
To prevent hard-coded admin usernames, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file. |
OVAL test results detailssuperuser is defined in /boot/grub2/grub.cfg. Superuser is not equal to other system account nor root, admin, administrator
oval:ssg-test_bootloader_superuser_differ_from_other_users:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_bootloader_unique_superuser:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /boot/grub2/grub.cfg | ^[\s]*set[\s]+superusers="(?i)\b(?!(?:root|admin|administrator)\b)(\w+)".*\nexport superusers$ | 1 |
Set Boot Loader Password in grub2xccdf_org.ssgproject.content_rule_grub2_password highCCE-83849-0
Set Boot Loader Password in grub2
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_password |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_password:def:1 |
| Time | 2025-09-21T20:24:33-05:00 |
| Severity | high |
| Identifiers: | CCE-83849-0 |
| References: | | cis-csc | 1, 11, 12, 14, 15, 16, 18, 3, 5 | | cobit5 | DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10 | | cui | 3.4.5 | | hipaa | 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii) | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7 | | iso27001-2013 | A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nist | CM-6(a) | | nist-csf | PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3 | | ospp | FIA_UAU.1 | | os-srg | SRG-OS-000080-GPOS-00048 | | anssi | R5 | | ccn | A.8.SEC-RHEL7 | | cis | 1.4.1 | | stigid | RHEL-09-212010 | | stigref | SV-257787r1044836_rule |
|
| Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate a hash for the password
by running the following command:
# grub2-setpassword
When prompted, enter the password that was selected.
|
| Rationale | Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode. |
| Warnings | warning
To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file. |
OVAL test results detailsmake sure a password is defined in /boot/grub2/user.cfg
oval:ssg-test_grub2_password_usercfg:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_password_usercfg:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /boot/grub2/user.cfg | ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$ | 1 |
make sure a password is defined in /boot/grub2/grub.cfg
oval:ssg-test_grub2_password_grubcfg:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_password_grubcfg:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /boot/grub2/grub.cfg | ^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$ | 1 |
superuser is defined in /boot/grub2/grub.cfg files.
oval:ssg-test_bootloader_superuser:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /boot/grub2/grub.cfg | set superusers="root" |
The system must booted with init_on_free=1xccdf_org.ssgproject.content_rule_grub2_init_on_free mediumCCE-87483-4
The system must booted with init_on_free=1
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_init_on_free |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_init_on_free:def:1 |
| Time | 2025-09-21T20:24:33-05:00 |
| Severity | medium |
| Identifiers: | CCE-87483-4 |
| References: | |
| Description | Setting init_on_free=1 on boot guarantees that pages and heap objects are initialized right after they're freed, so it won't be possible to access stale data by using a dangling pointer. |
| Rationale | init_on_free is a Linux kernel boot parameter that enhances security by initializing memory regions when they are freed, preventing data leakage.
This process ensures that stale data in freed memory cannot be accessed by malicious programs.
|
|
|
|
|
OVAL test results detailspackage kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
check kernel command line parameters for init_on_free=1 for all boot entries.
oval:ssg-test_grub2_init_on_free_entries:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /boot/loader/entries/563df4c43387434ca51a65ee039b44ee-5.14.0-570.44.1.el9_6.x86_64.conf | options root=/dev/mapper/rhel_desktop--rncu7uo-root ro crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=/dev/mapper/rhel_desktop--rncu7uo-swap rd.lvm.lv=rhel_desktop-rncu7uo/root rd.lvm.lv=rhel_desktop-rncu7uo/swap rhgb quiet |
check for init_on_free=1 in /etc/default/grub via GRUB_CMDLINE_LINUX
oval:ssg-test_grub2_init_on_free_argument:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/default/grub | GRUB_CMDLINE_LINUX="crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=/dev/mapper/rhel_desktop--rncu7uo-swap rd.lvm.lv=rhel_desktop-rncu7uo/root rd.lvm.lv=rhel_desktop-rncu7uo/swap rhgb quiet" |
check for init_on_free=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT
oval:ssg-test_grub2_init_on_free_argument_default:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_init_on_free_argument_default:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/default/grub | ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ | 1 |
Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub
oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/default/grub | GRUB_DISABLE_RECOVERY="true" |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
check kernel command line parameters for init_on_free=1 for all boot entries.
oval:ssg-test_grub2_init_on_free_usr_lib_bootc_kargs_d:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_init_on_free_usr_lib_bootc_kargs_d:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/bootc/kargs.d/ | ^.*\.toml$ | ^kargs = \[([^\]]+)\]$ | 1 |
Enable Kernel Page-Table Isolation (KPTI)xccdf_org.ssgproject.content_rule_grub2_pti_argument lowCCE-83843-3
Enable Kernel Page-Table Isolation (KPTI)
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_pti_argument |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_pti_argument:def:1 |
| Time | 2025-09-21T20:24:33-05:00 |
| Severity | low |
| Identifiers: | CCE-83843-3 |
| References: | |
| Description | To enable Kernel page-table isolation,
add the argument pti=on to the default
GRUB 2 command line for the Linux operating system.
To ensure that pti=on is added as a kernel command line
argument to newly installed kernels, add pti=on to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... pti=on ..."
Run the following command to update command line for already installed kernels: # grubby --update-kernel=ALL --args="pti=on"
If the system is distributed as a bootable container image, GRUB2 can't be configured using the method described above, but the following method needs to be used instead.
The kernel arguments should be set in /usr/lib/bootc/kargs.d in a TOML file that has the following form:
# /usr/lib/bootc/kargs.d/10-example.toml
kargs = ["pti=on"]
For more details on configuring kernel arguments in bootable container images, please refer to Bootc documentation. |
| Rationale | Kernel page-table isolation is a kernel feature that mitigates
the Meltdown security vulnerability and hardens the kernel
against attempts to bypass kernel address space layout
randomization (KASLR). |
|
|
|
|
OVAL test results detailspackage kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
check kernel command line parameters for pti=on for all boot entries.
oval:ssg-test_grub2_pti_entries:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /boot/loader/entries/563df4c43387434ca51a65ee039b44ee-5.14.0-570.44.1.el9_6.x86_64.conf | options root=/dev/mapper/rhel_desktop--rncu7uo-root ro crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=/dev/mapper/rhel_desktop--rncu7uo-swap rd.lvm.lv=rhel_desktop-rncu7uo/root rd.lvm.lv=rhel_desktop-rncu7uo/swap rhgb quiet |
check for pti=on in /etc/default/grub via GRUB_CMDLINE_LINUX
oval:ssg-test_grub2_pti_argument:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/default/grub | GRUB_CMDLINE_LINUX="crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=/dev/mapper/rhel_desktop--rncu7uo-swap rd.lvm.lv=rhel_desktop-rncu7uo/root rd.lvm.lv=rhel_desktop-rncu7uo/swap rhgb quiet" |
check for pti=on in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT
oval:ssg-test_grub2_pti_argument_default:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_pti_argument_default:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/default/grub | ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ | 1 |
Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub
oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/default/grub | GRUB_DISABLE_RECOVERY="true" |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
check kernel command line parameters for pti=on for all boot entries.
oval:ssg-test_grub2_pti_usr_lib_bootc_kargs_d:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_pti_usr_lib_bootc_kargs_d:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/bootc/kargs.d/ | ^.*\.toml$ | ^kargs = \[([^\]]+)\]$ | 1 |
Disable vsyscallsxccdf_org.ssgproject.content_rule_grub2_vsyscall_argument mediumCCE-83842-5
Disable vsyscalls
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_vsyscall_argument:def:1 |
| Time | 2025-09-21T20:24:33-05:00 |
| Severity | medium |
| Identifiers: | CCE-83842-5 |
| References: | |
| Description | To disable use of virtual syscalls,
add the argument vsyscall=none to the default
GRUB 2 command line for the Linux operating system.
To ensure that vsyscall=none is added as a kernel command line
argument to newly installed kernels, add vsyscall=none to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... vsyscall=none ..."
Run the following command to update command line for already installed kernels: # grubby --update-kernel=ALL --args="vsyscall=none"
If the system is distributed as a bootable container image, GRUB2 can't be configured using the method described above, but the following method needs to be used instead.
The kernel arguments should be set in /usr/lib/bootc/kargs.d in a TOML file that has the following form:
# /usr/lib/bootc/kargs.d/10-example.toml
kargs = ["vsyscall=none"]
For more details on configuring kernel arguments in bootable container images, please refer to Bootc documentation. |
| Rationale | Virtual Syscalls provide an opportunity of attack for a user who has control
of the return instruction pointer. |
| Warnings | warning
The vsyscall emulation is only available on x86_64 architecture
(CONFIG_X86_VSYSCALL_EMULATION) making this rule not applicable
to other CPU architectures. |
|
|
|
|
OVAL test results detailspackage kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
check kernel command line parameters for vsyscall=none for all boot entries.
oval:ssg-test_grub2_vsyscall_entries:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /boot/loader/entries/563df4c43387434ca51a65ee039b44ee-5.14.0-570.44.1.el9_6.x86_64.conf | options root=/dev/mapper/rhel_desktop--rncu7uo-root ro crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=/dev/mapper/rhel_desktop--rncu7uo-swap rd.lvm.lv=rhel_desktop-rncu7uo/root rd.lvm.lv=rhel_desktop-rncu7uo/swap rhgb quiet |
check for vsyscall=none in /etc/default/grub via GRUB_CMDLINE_LINUX
oval:ssg-test_grub2_vsyscall_argument:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/default/grub | GRUB_CMDLINE_LINUX="crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=/dev/mapper/rhel_desktop--rncu7uo-swap rd.lvm.lv=rhel_desktop-rncu7uo/root rd.lvm.lv=rhel_desktop-rncu7uo/swap rhgb quiet" |
check for vsyscall=none in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT
oval:ssg-test_grub2_vsyscall_argument_default:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_vsyscall_argument_default:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/default/grub | ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ | 1 |
Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub
oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/default/grub | GRUB_DISABLE_RECOVERY="true" |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
check kernel command line parameters for vsyscall=none for all boot entries.
oval:ssg-test_grub2_vsyscall_usr_lib_bootc_kargs_d:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_vsyscall_usr_lib_bootc_kargs_d:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/bootc/kargs.d/ | ^.*\.toml$ | ^kargs = \[([^\]]+)\]$ | 1 |
Ensure cron Is Logging To Rsyslogxccdf_org.ssgproject.content_rule_rsyslog_cron_logging mediumCCE-83994-4
Ensure cron Is Logging To Rsyslog
| Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_cron_logging |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-rsyslog_cron_logging:def:1 |
| Time | 2025-09-21T20:24:35-05:00 |
| Severity | medium |
| Identifiers: | CCE-83994-4 |
| References: | | cis-csc | 1, 14, 15, 16, 3, 5, 6 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1 | | ism | 0988, 1405 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.15.2.1, A.15.2.2 | | nist | CM-6(a) | | nist-csf | ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-652060 | | stigref | SV-258150r1045296_rule |
|
| Description | Cron logging must be implemented to spot intrusions or trace
cron job status. If cron is not logging to rsyslog, it
can be implemented by adding the following to the RULES section of
/etc/rsyslog.conf:
If the legacy syntax is used:
cron.* /var/log/cron
If the modern syntax (RainerScript) is used:
cron.* action(type="omfile" file="/var/log/cron")
|
| Rationale | Cron logging can be used to trace the successful or unsuccessful execution
of cron jobs. It can also be used to spot intrusions into the use of the cron
facility by unauthorized and malicious users. |
OVAL test results detailscron is configured in /etc/rsyslog.conf
oval:ssg-test_cron_logging_rsyslog:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/rsyslog.conf | cron.* /var/log/cron
# Everybody gets emergency messages |
cron is configured in /etc/rsyslog.conf using RainerScript
oval:ssg-test_cron_logging_rsyslog_rainer:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_cron_logging_rsyslog_rainer:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/rsyslog.conf | (?m)^\s*cron\.\*\s+action\(\s*.*(?i)\btype\b(?-i)="omfile"\s*.*(?i)\bfile\b(?-i)="/var/log/cron"\s*.*\)\s*$ | 1 |
cron is configured in /etc/rsyslog.d
oval:ssg-test_cron_logging_rsyslog_dir:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_cron_logging_rsyslog_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/rsyslog.d | ^.*$ | ^[\s]*cron\.\*[\s]+/var/log/cron\s*(?:#.*)?$ | 1 |
cron is configured in /etc/rsyslog.d using RainerScript
oval:ssg-test_cron_logging_rsyslog_dir_rainer:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_cron_logging_rsyslog_dir_rainer:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/rsyslog.d | ^.*$ | (?m)^\s*cron\.\*\s+action\(\s*.*(?i)\btype\b(?-i)="omfile"\s*.*(?i)\bfile\b(?-i)="/var/log/cron"\s*.*\)\s*$ | 1 |
Ensure Rsyslog Authenticates Off-Loaded Audit Recordsxccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode mediumCCE-86871-1
Ensure Rsyslog Authenticates Off-Loaded Audit Records
| Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-rsyslog_encrypt_offload_actionsendstreamdriverauthmode:def:1 |
| Time | 2025-09-21T20:24:35-05:00 |
| Severity | medium |
| Identifiers: | CCE-86871-1 |
| References: | | nist | AU-4(1) | | os-srg | SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224 | | stigid | RHEL-09-652040 | | stigref | SV-258146r1045288_rule |
|
| Description | Rsyslogd is a system utility providing support for message logging. Support
for both internet and UNIX domain sockets enables this utility to support both local
and remote logging. Couple this utility with gnutls (which is a secure communications
library implementing the SSL, TLS and DTLS protocols), and you have a method to securely
encrypt and off-load auditing.
When using rsyslogd to off-load logs the remote system must be authenticated.
Set the following configuration option in /etc/rsyslog.conf or in a file in /etc/rsyslog.d (using legacy syntax):
$ActionSendStreamDriverAuthMode x509/name
Alternatively, use the RainerScript syntax:
action(type="omfwd" Target="some.example.com" StreamDriverAuthMode="x509/name")
|
| Rationale | The audit records generated by Rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Audit records should be
protected from unauthorized access. |
|
|
OVAL test results detailsCheck if $ActionSendStreamDriverAuthMode x509/name is set in /etc/rsyslog.conf
oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/rsyslog.conf | ^\$ActionSendStreamDriverAuthMode x509/name$ | 1 |
Check if StreamDriverAuthMode is set to x509/name in /etc/rsyslog.conf using RainerScript
oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode_rainer:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode_rainer:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/rsyslog.conf | ^\s*action\(.*(?i)\btype\b(?-i)="omfwd".*(?i)\bStreamDriverAuthMode\b(?-i)="x509/name".*\)\s*$ | 1 |
Check if $ActionSendStreamDriverAuthMode x509/name is set in /etc/rsyslog.conf
oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode_dir:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/rsyslog.d | ^.*conf$ | ^\$ActionSendStreamDriverAuthMode x509/name$ | 1 |
Check if StreamDriverAuthMode is set to x509/name in files in /etc/rsyslog.d using RainerScript
oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode_dir_rainer:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode_dir_rainer:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/rsyslog.d | ^.*conf$ | ^\s*action\(.*(?i)\btype\b(?-i)="omfwd".*(?i)\bStreamDriverAuthMode\b(?-i)="x509/name".*\)\s*$ | 1 |
Ensure Rsyslog Encrypts Off-Loaded Audit Recordsxccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode mediumCCE-90191-8
Ensure Rsyslog Encrypts Off-Loaded Audit Records
| Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-rsyslog_encrypt_offload_actionsendstreamdrivermode:def:1 |
| Time | 2025-09-21T20:24:35-05:00 |
| Severity | medium |
| Identifiers: | CCE-90191-8 |
| References: | | nist | AU-4(1) | | os-srg | SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224 | | stigid | RHEL-09-652045 | | stigref | SV-258147r1045290_rule |
|
| Description | Rsyslogd is a system utility providing support for message logging. Support
for both internet and UNIX domain sockets enables this utility to support both local
and remote logging. Couple this utility with gnutls (which is a secure communications
library implementing the SSL, TLS and DTLS protocols), and you have a method to securely
encrypt and off-load auditing.
When using rsyslogd to off-load logs off a encrpytion system must be used.
Set the following configuration option in /etc/rsyslog.conf or in a file in /etc/rsyslog.d (using legacy syntax):
$ActionSendStreamDriverMode 1
Alternatively, use the RainerScript syntax:
action(type="omfwd" ... StreamDriverMode="1")
|
| Rationale | The audit records generated by Rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Audit records should be
protected from unauthorized access. |
|
|
OVAL test results detailsCheck if $ActionSendStreamDriverMode 1 is set in /etc/rsyslog.conf
oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/rsyslog.conf | ^\$ActionSendStreamDriverMode 1$ | 1 |
Check if StreamDriverMode is set to 1 in /etc/rsyslog.conf using RainerScript
oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog_rainer:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog_rainer:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/rsyslog.conf | ^\s*action\(.*(?i)\btype\b(?-i)="omfwd".*(?i)\bStreamDriverMode\b(?-i)="1".*\)\s*$ | 1 |
Check if $ActionSendStreamDriverMode 1 is set in /etc/rsyslog.conf
oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog_dir:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/rsyslog.d | ^.*conf$ | ^\$ActionSendStreamDriverMode 1$ | 1 |
Check if StreamDriverMode is set to 1 in files in /etc/rsyslog.d using RainerScript
oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog_dir_rainer:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog_dir_rainer:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/rsyslog.d | ^.*conf$ | ^\s*action\(.*(?i)\btype\b(?-i)="omfwd".*(?i)\bStreamDriverMode\b(?-i)="1".*\)\s*$ | 1 |
Ensure Rsyslog Encrypts Off-Loaded Audit Recordsxccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver mediumCCE-86782-0
Ensure Rsyslog Encrypts Off-Loaded Audit Records
| Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver:def:1 |
| Time | 2025-09-21T20:24:35-05:00 |
| Severity | medium |
| Identifiers: | CCE-86782-0 |
| References: | | nist | AU-4(1) | | os-srg | SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224 | | stigid | RHEL-09-652050 | | stigref | SV-258148r1045292_rule |
|
| Description | Rsyslogd is a system utility providing support for message logging. Support
for both internet and UNIX domain sockets enables this utility to support both local
and remote logging. Couple this utility with gnutls (which is a secure communications
library implementing the SSL, TLS and DTLS protocols), and you have a method to securely
encrypt and off-load auditing.
When using rsyslogd to off-load logs off an encryption system must be used.
Set the following configuration option in /etc/rsyslog.conf or in a file in /etc/rsyslog.d (using legacy syntax):
$DefaultNetstreamDriver gtls
Alternatively, use the RainerScript syntax:
global(DefaultNetstreamDriver="gtls")
|
| Rationale | The audit records generated by Rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Audit records should be
protected from unauthorized access. |
|
|
OVAL test results detailsCheck if $DefaultNetstreamDriver gtls is set in /etc/rsyslog.conf
oval:ssg-test_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/rsyslog.conf | ^\$DefaultNetstreamDriver gtls$ | 1 |
Check if DefaultNetstreamDriver is set to gtls in /etc/rsyslog.conf using RainerScript
oval:ssg-test_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog_rainer:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog_rainer:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/rsyslog.conf | ^\s*global\(.*(?i)\bDefaultNetStreamDriver\b(?-i)="gtls".*\)\s*$ | 1 |
Check if $DefaultNetstreamDriver gtls is set in /etc/rsyslog.conf
oval:ssg-test_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog_dir:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/rsyslog.d | ^.*conf$ | ^\$DefaultNetstreamDriver gtls$ | 1 |
Check if DefaultNetstreamDriver is set to gtls in files in /etc/rsyslog.d using RainerScript
oval:ssg-test_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog_dir_rainer:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog_dir_rainer:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/rsyslog.d | ^.*conf$ | ^\s*global\(.*(?i)\bDefaultNetStreamDriver\b(?-i)="gtls".*\)\s*$ | 1 |
Ensure remote access methods are monitored in Rsyslogxccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring mediumCCE-87960-1
Ensure remote access methods are monitored in Rsyslog
| Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-rsyslog_remote_access_monitoring:def:1 |
| Time | 2025-09-21T20:24:35-05:00 |
| Severity | medium |
| Identifiers: | CCE-87960-1 |
| References: | |
| Description | Logging of remote access methods must be implemented to help identify cyber
attacks and ensure ongoing compliance with remote access policies are being
audited and upheld. An examples of a remote access method is the use of the
Remote Desktop Protocol (RDP) from an external, non-organization controlled
network. The /etc/rsyslog.conf or
/etc/rsyslog.d/*.conf file should contain a match for the following
selectors: auth.*, authpriv.*, and daemon.*. If
not, use the following as an example configuration:
auth.*;authpriv.* /var/log/secure
daemon.* /var/log/messages
|
| Rationale | Logging remote access methods can be used to trace the decrease the risks
associated with remote user access management. It can also be used to spot
cyber attacks and ensure ongoing compliance with organizational policies
surrounding the use of remote access methods. |
|
|
OVAL test results detailsremote method auth monitoring configured in rsyslog'
oval:ssg-test_remote_method_monitoring_auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_remote_method_monitoring_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/rsyslog\.(conf|d/.+\.conf)$ | ^[^#\n]*auth(,\w+)*\.\*[^\n]*$ | 1 |
remote method authpriv monitoring configured in rsyslog'
oval:ssg-test_remote_method_monitoring_authpriv:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/rsyslog.conf | authpriv.* /var/log/secure |
remote method daemon monitoring configured in rsyslog'
oval:ssg-test_remote_method_monitoring_daemon:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_remote_method_monitoring_daemon:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/rsyslog\.(conf|d/.+\.conf)$ | ^[^#\n]*daemon(,\w+)*\.\*[^\n]*$ | 1 |
Enable systemd-journald Servicexccdf_org.ssgproject.content_rule_service_systemd-journald_enabled mediumCCE-85941-3
Enable systemd-journald Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_systemd-journald_enabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_systemd-journald_enabled:def:1 |
| Time | 2025-09-21T20:24:37-05:00 |
| Severity | medium |
| Identifiers: | CCE-85941-3 |
| References: | |
| Description | The systemd-journald service is an essential component of
systemd.
The systemd-journald service can be enabled with the following command:
$ sudo systemctl enable systemd-journald.service
|
| Rationale | In the event of a system failure, Red Hat Enterprise Linux 9 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to system processes. |
OVAL test results detailspackage systemd is installed
oval:ssg-test_service_systemd-journald_package_systemd_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | systemd | x86_64 | (none) | 51.el9_6.2 | 252 | 0:252-51.el9_6.2 | 199e2f91fd431d51 | systemd-0:252-51.el9_6.2.x86_64 |
Test that the systemd-journald service is running
oval:ssg-test_service_running_systemd-journald:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Unit | Property | Value |
|---|
| true | systemd-journald.service | ActiveState | active |
| true | systemd-journald.socket | ActiveState | active |
systemd test
oval:ssg-test_multi_user_wants_systemd-journald:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| true | multi-user.target | basic.target | -.mount | sysinit.target | iscsi-starter.service | systemd-network-generator.service | ldconfig.service | proc-sys-fs-binfmt_misc.automount | dracut-shutdown.service | sys-kernel-tracing.mount | sys-kernel-debug.mount | veritysetup.target | dev-hugepages.mount | systemd-pcrphase-sysinit.service | systemd-boot-update.service | lvm2-monitor.service | integritysetup.target | plymouth-read-write.service | systemd-firstboot.service | multipathd.service | systemd-pcrphase.service | sys-fs-fuse-connections.mount | systemd-journal-catalog-update.service | systemd-binfmt.service | systemd-pstore.service | sys-kernel-config.mount | systemd-machine-id-commit.service | local-fs.target | boot-efi.mount | boot.mount | opt-share.mount | ostree-remount.service | systemd-remount-fs.service | systemd-hwdb-update.service | systemd-update-utmp.service | kmod-static-nodes.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | plymouth-start.service | systemd-journald.service | systemd-random-seed.service | swap.target | dev-mapper-rhel_desktop\x2d\x2drncu7uo\x2dswap.swap | selinux-autorelabel-mark.service | systemd-udevd.service | iscsi-onboot.service | systemd-pcrmachine.service | nis-domainname.service | systemd-sysctl.service | lvm2-lvmpolld.socket | systemd-ask-password-console.path | systemd-sysusers.service | systemd-modules-load.service | systemd-update-done.service | systemd-repart.service | systemd-udev-trigger.service | dev-mqueue.mount | cryptsetup.target | systemd-journal-flush.service | systemd-boot-random-seed.service | slices.target | -.slice | system.slice | low-memory-monitor.service | timers.target | logrotate.timer | systemd-tmpfiles-clean.timer | unbound-anchor.timer | mlocate-updatedb.timer | dnf-makecache.timer | paths.target | microcode.service | sockets.target | dm-event.socket | iscsid.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | systemd-udevd-kernel.socket | systemd-coredump.socket | systemd-journald.socket | systemd-initctl.socket | multipathd.socket | iscsiuio.socket | cups.socket | systemd-journald-dev-log.socket | avahi-daemon.socket | NetworkManager.service | insights-client-boot.service | tuned.service | mcelog.service | systemd-ask-password-wall.path | ModemManager.service | rsyslog.service | ostree-readonly-sysroot-migration.service | firewalld.service | systemd-user-sessions.service | sshd.service | vmtoolsd.service | systemd-logind.service | run-vmblock\x2dfuse.mount | sssd.service | atd.service | nessusd.service | libstoragemgmt.service | irqbalance.service | getty.target | getty@tty1.service | plymouth-quit.service | cups.path | kdump.service | rhsmcertd.service | crond.service | chronyd.service | mdmonitor.service | auditd.service | smartd.service | cups.service | avahi-daemon.service | remote-fs.target | systemd-update-utmp-runlevel.service | plymouth-quit-wait.service |
systemd test
oval:ssg-test_multi_user_wants_systemd-journald_socket:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| true | multi-user.target | basic.target | -.mount | sysinit.target | iscsi-starter.service | systemd-network-generator.service | ldconfig.service | proc-sys-fs-binfmt_misc.automount | dracut-shutdown.service | sys-kernel-tracing.mount | sys-kernel-debug.mount | veritysetup.target | dev-hugepages.mount | systemd-pcrphase-sysinit.service | systemd-boot-update.service | lvm2-monitor.service | integritysetup.target | plymouth-read-write.service | systemd-firstboot.service | multipathd.service | systemd-pcrphase.service | sys-fs-fuse-connections.mount | systemd-journal-catalog-update.service | systemd-binfmt.service | systemd-pstore.service | sys-kernel-config.mount | systemd-machine-id-commit.service | local-fs.target | boot-efi.mount | boot.mount | opt-share.mount | ostree-remount.service | systemd-remount-fs.service | systemd-hwdb-update.service | systemd-update-utmp.service | kmod-static-nodes.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | plymouth-start.service | systemd-journald.service | systemd-random-seed.service | swap.target | dev-mapper-rhel_desktop\x2d\x2drncu7uo\x2dswap.swap | selinux-autorelabel-mark.service | systemd-udevd.service | iscsi-onboot.service | systemd-pcrmachine.service | nis-domainname.service | systemd-sysctl.service | lvm2-lvmpolld.socket | systemd-ask-password-console.path | systemd-sysusers.service | systemd-modules-load.service | systemd-update-done.service | systemd-repart.service | systemd-udev-trigger.service | dev-mqueue.mount | cryptsetup.target | systemd-journal-flush.service | systemd-boot-random-seed.service | slices.target | -.slice | system.slice | low-memory-monitor.service | timers.target | logrotate.timer | systemd-tmpfiles-clean.timer | unbound-anchor.timer | mlocate-updatedb.timer | dnf-makecache.timer | paths.target | microcode.service | sockets.target | dm-event.socket | iscsid.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | systemd-udevd-kernel.socket | systemd-coredump.socket | systemd-journald.socket | systemd-initctl.socket | multipathd.socket | iscsiuio.socket | cups.socket | systemd-journald-dev-log.socket | avahi-daemon.socket | NetworkManager.service | insights-client-boot.service | tuned.service | mcelog.service | systemd-ask-password-wall.path | ModemManager.service | rsyslog.service | ostree-readonly-sysroot-migration.service | firewalld.service | systemd-user-sessions.service | sshd.service | vmtoolsd.service | systemd-logind.service | run-vmblock\x2dfuse.mount | sssd.service | atd.service | nessusd.service | libstoragemgmt.service | irqbalance.service | getty.target | getty@tty1.service | plymouth-quit.service | cups.path | kdump.service | rhsmcertd.service | crond.service | chronyd.service | mdmonitor.service | auditd.service | smartd.service | cups.service | avahi-daemon.service | remote-fs.target | systemd-update-utmp-runlevel.service | plymouth-quit-wait.service |
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Serverxccdf_org.ssgproject.content_rule_rsyslog_nolisten mediumCCE-83995-1
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
| Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_nolisten |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-rsyslog_nolisten:def:1 |
| Time | 2025-09-21T20:24:37-05:00 |
| Severity | medium |
| Identifiers: | CCE-83995-1 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9 | | cobit5 | APO01.06, APO11.04, APO13.01, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, MEA02.01 | | isa-62443-2009 | 4.2.3.4, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.8, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | | ism | 0988, 1405 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-7(a), CM-7(b), CM-6(a) | | nist-csf | DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.IP-1, PR.PT-1, PR.PT-4 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-652025 | | stigref | SV-258143r1045283_rule |
|
| Description | The rsyslog daemon should not accept remote messages unless the system acts as a log
server. To ensure that it is not listening on the network, ensure any of the following lines
are not found in rsyslog configuration files.
If using legacy syntax:
$ModLoad imtcp
$InputTCPServerRun port
$ModLoad imudp
$UDPServerRun port
$ModLoad imrelp
$InputRELPServerRun port
If using RainerScript syntax:
module(load="imtcp")
module(load="imudp")
input(type="imtcp" port="514")
input(type="imudp" port="514")
|
| Rationale | Any process which receives messages from the network incurs some risk of receiving malicious
messages. This risk can be eliminated for rsyslog by configuring it not to listen on the
network. |
OVAL test results detailsrsyslog configuration files don't contain $InputTCPServerRun | $UDPServerRun | $InputRELPServerRun | $ModLoad imtcp | $ModLoad imudp | $ModLoad imrelp
oval:ssg-test_rsyslog_nolisten_legacy:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_rsyslog_nolisten_legacy:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\/etc\/rsyslog(\.conf|\.d\/.*\.conf)$ | ^[\s]*\$((?:Input(?:TCP|RELP)|UDP)ServerRun|ModLoad[\s]+(imtcp|imudp|imrelp)) | 1 |
rsyslog configuration files don't use imtcp or imudp modules
oval:ssg-test_rsyslog_nolisten_rainerscript:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_rsyslog_nolisten_rainerscript:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\/etc\/rsyslog(\.conf|\.d\/.*\.conf)$ | ^\s*(?:module|input)\((?:load|type)="(imtcp|imudp)".*$ | 1 |
Ensure Logs Sent To Remote Hostxccdf_org.ssgproject.content_rule_rsyslog_remote_loghost mediumCCE-83990-2
Ensure Logs Sent To Remote Host
| Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-rsyslog_remote_loghost:def:1 |
| Time | 2025-09-21T20:24:37-05:00 |
| Severity | medium |
| Identifiers: | CCE-83990-2 |
| References: | | cis-csc | 1, 13, 14, 15, 16, 2, 3, 5, 6 | | cobit5 | APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.04, DSS05.07, MEA02.01 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(8), 164.310(d)(2)(iii), 164.312(b), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii) | | isa-62443-2009 | 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 7.1, SR 7.2 | | ism | 0988, 1405 | | iso27001-2013 | A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.17.2.1 | | nerc-cip | CIP-003-8 R5.2, CIP-004-6 R3.3 | | nist | CM-6(a), AU-4(1), AU-9(2) | | nist-csf | PR.DS-4, PR.PT-1 | | os-srg | SRG-OS-000479-GPOS-00224, SRG-OS-000480-GPOS-00227, SRG-OS-000342-GPOS-00133 | | anssi | R71 | | stigid | RHEL-09-652055 | | stigref | SV-258149r1045294_rule |
|
| Description | To configure rsyslog to send logs to a remote log server,
open /etc/rsyslog.conf and read and understand the last section of the file,
which describes the multiple directives necessary to activate remote
logging.
Along with these other directives, the system can be configured
to forward its logs to a particular log server by
adding or correcting one of the following lines,
substituting logcollector appropriately.
The choice of protocol depends on the environment of the system;
although TCP and RELP provide more reliable message delivery,
they may not be supported in all environments.
To use UDP for log message delivery:
*.* @logcollector
Or in RainerScript:
*.* action(type="omfwd" ... target="logcollector" protocol="udp")
To use TCP for log message delivery:
*.* @@logcollector
Or in RainerScript:
*.* action(type="omfwd" ... target="logcollector" protocol="tcp")
To use RELP for log message delivery:
*.* :omrelp:logcollector
Or in RainerScript:
*.* action(type="omfwd" ... target="logcollector" protocol="relp")
There must be a resolvable DNS CNAME or Alias record set to " logcollector" for logs to be sent correctly to the centralized logging utility. |
| Rationale | A log server (loghost) receives syslog messages from one or more
systems. This data can be used as an additional log source in the event a
system is compromised and its local logs are suspect. Forwarding log messages
to a remote loghost also provides system administrators with a centralized
place to view the status of multiple hosts within the enterprise. |
| Warnings | warning
It is important to configure queues in case the client is sending log
messages to a remote server. If queues are not configured,
the system will stop functioning when the connection
to the remote server is not available. Please consult Rsyslog
documentation for more information about configuration of queues. The
example configuration which should go into /etc/rsyslog.conf
can look like the following lines:
$ActionQueueType LinkedList
$ActionQueueFileName queuefilename
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionResumeRetryCount -1
Or if using Rainer Script syntax, it could be:
*.* action(type="omfwd" queue.type="linkedlist" queue.filename="example_fwd" action.resumeRetryCount="-1" queue.saveOnShutdown="on" target="example.com" port="30514" protocol="tcp")
|
|
|
OVAL test results detailsEnsures system configured to export logs to remote host
oval:ssg-test_remote_rsyslog_conf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_remote_loghost_rsyslog_conf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/rsyslog.conf | ^\*\.\*[\s]+(?:@|\:omrelp\:) | 1 |
Ensures system configured to export logs to remote host
oval:ssg-test_remote_rsyslog_d:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_remote_loghost_rsyslog_d:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/rsyslog.d | ^.+\.conf$ | ^\*\.\*[\s]+(?:@|\:omrelp\:) | 1 |
Ensures system configured to export logs to remote host using Rainer syntax
oval:ssg-test_remote_rsyslog_conf_rainer:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_remote_loghost_rsyslog_conf_rainer:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/rsyslog.conf | (?m)^\s*\*\.\*\s+action\(\s*.*(?i)\btype\b(?-i)="omfwd"\s*.*(?i)\btarget\b(?-i)="\S+"\s*.*\)\s*$ | 1 |
Ensures system configured to export logs to remote host using Rainer
oval:ssg-test_remote_rsyslog_d_rainer:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_remote_loghost_rsyslog_d_rainer:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/rsyslog.d | ^.+\.conf$ | (?m)^\s*\*\.\*\s+action\(\s*.*(?i)\btype\b(?-i)="omfwd"\s*.*(?i)\btarget\b(?-i)="\S+"\s*.*\)\s*$ | 1 |
Ensure rsyslog-gnutls is installedxccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed mediumCCE-83987-8
Ensure rsyslog-gnutls is installed
| Rule ID | xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_rsyslog-gnutls_installed:def:1 |
| Time | 2025-09-21T20:24:33-05:00 |
| Severity | medium |
| Identifiers: | CCE-83987-8 |
| References: | |
| Description | TLS protocol support for rsyslog is installed.
The rsyslog-gnutls package can be installed with the following command:
$ sudo dnf install rsyslog-gnutls
|
| Rationale | The rsyslog-gnutls package provides Transport Layer Security (TLS) support
for the rsyslog daemon, which enables secure remote logging. |
OVAL test results detailspackage rsyslog-gnutls is installed
oval:ssg-test_package_rsyslog-gnutls_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | rsyslog-gnutls | x86_64 | (none) | 1.el9 | 8.2412.0 | 0:8.2412.0-1.el9 | 199e2f91fd431d51 | rsyslog-gnutls-0:8.2412.0-1.el9.x86_64 |
Ensure rsyslog is Installedxccdf_org.ssgproject.content_rule_package_rsyslog_installed mediumCCE-84063-7
Ensure rsyslog is Installed
| Rule ID | xccdf_org.ssgproject.content_rule_package_rsyslog_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_rsyslog_installed:def:1 |
| Time | 2025-09-21T20:24:33-05:00 |
| Severity | medium |
| Identifiers: | CCE-84063-7 |
| References: | | cis-csc | 1, 14, 15, 16, 3, 5, 6 | | cobit5 | APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01 | | hipaa | 164.312(a)(2)(ii) | | isa-62443-2009 | 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1 | | nist | CM-6(a) | | nist-csf | PR.PT-1 | | os-srg | SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-652010 | | stigref | SV-258140r1045278_rule |
|
| Description | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ sudo dnf install rsyslog
|
| Rationale | The rsyslog package provides the rsyslog daemon, which provides
system logging services. |
OVAL test results detailspackage rsyslog is installed
oval:ssg-test_package_rsyslog_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | rsyslog | x86_64 | (none) | 1.el9 | 8.2412.0 | 0:8.2412.0-1.el9 | 199e2f91fd431d51 | rsyslog-0:8.2412.0-1.el9.x86_64 |
Enable rsyslog Servicexccdf_org.ssgproject.content_rule_service_rsyslog_enabled mediumCCE-83989-4
Enable rsyslog Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_rsyslog_enabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_rsyslog_enabled:def:1 |
| Time | 2025-09-21T20:24:35-05:00 |
| Severity | medium |
| Identifiers: | CCE-83989-4 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | hipaa | 164.312(a)(2)(ii) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2 | | iso27001-2013 | A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1 | | nist | CM-6(a), AU-4(1) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-652020 | | stigref | SV-258142r991589_rule |
|
| Description | The rsyslog service provides syslog-style logging by default on Red Hat Enterprise Linux 9.
The rsyslog service can be enabled with the following command:
$ sudo systemctl enable rsyslog.service
|
| Rationale | The rsyslog service must be running in order to provide
logging services, which are essential to system administration. |
OVAL test results detailspackage rsyslog is installed
oval:ssg-test_service_rsyslog_package_rsyslog_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | rsyslog | x86_64 | (none) | 1.el9 | 8.2412.0 | 0:8.2412.0-1.el9 | 199e2f91fd431d51 | rsyslog-0:8.2412.0-1.el9.x86_64 |
Test that the rsyslog service is running
oval:ssg-test_service_running_rsyslog:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Unit | Property | Value |
|---|
| true | rsyslog.service | ActiveState | active |
systemd test
oval:ssg-test_multi_user_wants_rsyslog:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| true | multi-user.target | basic.target | -.mount | sysinit.target | iscsi-starter.service | systemd-network-generator.service | ldconfig.service | proc-sys-fs-binfmt_misc.automount | dracut-shutdown.service | sys-kernel-tracing.mount | sys-kernel-debug.mount | veritysetup.target | dev-hugepages.mount | systemd-pcrphase-sysinit.service | systemd-boot-update.service | lvm2-monitor.service | integritysetup.target | plymouth-read-write.service | systemd-firstboot.service | multipathd.service | systemd-pcrphase.service | sys-fs-fuse-connections.mount | systemd-journal-catalog-update.service | systemd-binfmt.service | systemd-pstore.service | sys-kernel-config.mount | systemd-machine-id-commit.service | local-fs.target | boot-efi.mount | boot.mount | opt-share.mount | ostree-remount.service | systemd-remount-fs.service | systemd-hwdb-update.service | systemd-update-utmp.service | kmod-static-nodes.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | plymouth-start.service | systemd-journald.service | systemd-random-seed.service | swap.target | dev-mapper-rhel_desktop\x2d\x2drncu7uo\x2dswap.swap | selinux-autorelabel-mark.service | systemd-udevd.service | iscsi-onboot.service | systemd-pcrmachine.service | nis-domainname.service | systemd-sysctl.service | lvm2-lvmpolld.socket | systemd-ask-password-console.path | systemd-sysusers.service | systemd-modules-load.service | systemd-update-done.service | systemd-repart.service | systemd-udev-trigger.service | dev-mqueue.mount | cryptsetup.target | systemd-journal-flush.service | systemd-boot-random-seed.service | slices.target | -.slice | system.slice | low-memory-monitor.service | timers.target | logrotate.timer | systemd-tmpfiles-clean.timer | unbound-anchor.timer | mlocate-updatedb.timer | dnf-makecache.timer | paths.target | microcode.service | sockets.target | dm-event.socket | iscsid.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | systemd-udevd-kernel.socket | systemd-coredump.socket | systemd-journald.socket | systemd-initctl.socket | multipathd.socket | iscsiuio.socket | cups.socket | systemd-journald-dev-log.socket | avahi-daemon.socket | NetworkManager.service | insights-client-boot.service | tuned.service | mcelog.service | systemd-ask-password-wall.path | ModemManager.service | rsyslog.service | ostree-readonly-sysroot-migration.service | firewalld.service | systemd-user-sessions.service | sshd.service | vmtoolsd.service | systemd-logind.service | run-vmblock\x2dfuse.mount | sssd.service | atd.service | nessusd.service | libstoragemgmt.service | irqbalance.service | getty.target | getty@tty1.service | plymouth-quit.service | cups.path | kdump.service | rhsmcertd.service | crond.service | chronyd.service | mdmonitor.service | auditd.service | smartd.service | cups.service | avahi-daemon.service | remote-fs.target | systemd-update-utmp-runlevel.service | plymouth-quit-wait.service |
systemd test
oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| false | multi-user.target | basic.target | -.mount | sysinit.target | iscsi-starter.service | systemd-network-generator.service | ldconfig.service | proc-sys-fs-binfmt_misc.automount | dracut-shutdown.service | sys-kernel-tracing.mount | sys-kernel-debug.mount | veritysetup.target | dev-hugepages.mount | systemd-pcrphase-sysinit.service | systemd-boot-update.service | lvm2-monitor.service | integritysetup.target | plymouth-read-write.service | systemd-firstboot.service | multipathd.service | systemd-pcrphase.service | sys-fs-fuse-connections.mount | systemd-journal-catalog-update.service | systemd-binfmt.service | systemd-pstore.service | sys-kernel-config.mount | systemd-machine-id-commit.service | local-fs.target | boot-efi.mount | boot.mount | opt-share.mount | ostree-remount.service | systemd-remount-fs.service | systemd-hwdb-update.service | systemd-update-utmp.service | kmod-static-nodes.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | plymouth-start.service | systemd-journald.service | systemd-random-seed.service | swap.target | dev-mapper-rhel_desktop\x2d\x2drncu7uo\x2dswap.swap | selinux-autorelabel-mark.service | systemd-udevd.service | iscsi-onboot.service | systemd-pcrmachine.service | nis-domainname.service | systemd-sysctl.service | lvm2-lvmpolld.socket | systemd-ask-password-console.path | systemd-sysusers.service | systemd-modules-load.service | systemd-update-done.service | systemd-repart.service | systemd-udev-trigger.service | dev-mqueue.mount | cryptsetup.target | systemd-journal-flush.service | systemd-boot-random-seed.service | slices.target | -.slice | system.slice | low-memory-monitor.service | timers.target | logrotate.timer | systemd-tmpfiles-clean.timer | unbound-anchor.timer | mlocate-updatedb.timer | dnf-makecache.timer | paths.target | microcode.service | sockets.target | dm-event.socket | iscsid.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | systemd-udevd-kernel.socket | systemd-coredump.socket | systemd-journald.socket | systemd-initctl.socket | multipathd.socket | iscsiuio.socket | cups.socket | systemd-journald-dev-log.socket | avahi-daemon.socket | NetworkManager.service | insights-client-boot.service | tuned.service | mcelog.service | systemd-ask-password-wall.path | ModemManager.service | rsyslog.service | ostree-readonly-sysroot-migration.service | firewalld.service | systemd-user-sessions.service | sshd.service | vmtoolsd.service | systemd-logind.service | run-vmblock\x2dfuse.mount | sssd.service | atd.service | nessusd.service | libstoragemgmt.service | irqbalance.service | getty.target | getty@tty1.service | plymouth-quit.service | cups.path | kdump.service | rhsmcertd.service | crond.service | chronyd.service | mdmonitor.service | auditd.service | smartd.service | cups.service | avahi-daemon.service | remote-fs.target | systemd-update-utmp-runlevel.service | plymouth-quit-wait.service |
Install firewalld Packagexccdf_org.ssgproject.content_rule_package_firewalld_installed mediumCCE-84021-5
Install firewalld Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_firewalld_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_firewalld_installed:def:1 |
| Time | 2025-09-21T20:24:37-05:00 |
| Severity | medium |
| Identifiers: | CCE-84021-5 |
| References: | | nist | CM-6(a) | | ospp | FMT_SMF_EXT.1 | | os-srg | SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000298-GPOS-00116, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00232 | | ccn | A.8.SEC-RHEL3 | | cis | 4.1.2 | | pcidss4 | 1.2.1, 1.2 | | stigid | RHEL-09-251010 | | stigref | SV-257935r1044994_rule |
|
| Description | The firewalld package can be installed with the following command:
$ sudo dnf install firewalld
|
| Rationale | "Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.
Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
Red Hat Enterprise Linux 9 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity.
Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets)." |
OVAL test results detailspackage firewalld is installed
oval:ssg-test_package_firewalld_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | firewalld | noarch | (none) | 9.el9_5 | 1.3.4 | 0:1.3.4-9.el9_5 | 199e2f91fd431d51 | firewalld-0:1.3.4-9.el9_5.noarch |
Verify firewalld Enabledxccdf_org.ssgproject.content_rule_service_firewalld_enabled mediumCCE-90833-5
Verify firewalld Enabled
| Rule ID | xccdf_org.ssgproject.content_rule_service_firewalld_enabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_firewalld_enabled:def:1 |
| Time | 2025-09-21T20:24:39-05:00 |
| Severity | medium |
| Identifiers: | CCE-90833-5 |
| References: | | cis-csc | 11, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05 | | cui | 3.1.3, 3.4.7 | | isa-62443-2009 | 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4 | | nerc-cip | CIP-003-8 R4, CIP-003-8 R5, CIP-004-6 R3 | | nist | AC-4, CM-7(b), CA-3(5), SC-7(21), CM-6(a) | | nist-csf | PR.IP-1 | | ospp | FMT_SMF_EXT.1 | | os-srg | SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00231, SRG-OS-000480-GPOS-00232 | | bsi | SYS.1.6.A5, SYS.1.6.A21 | | ccn | A.8.SEC-RHEL3 | | cis | 4.1.2 | | pcidss4 | 1.2.1, 1.2 | | stigid | RHEL-09-251015 | | stigref | SV-257936r1044995_rule |
|
| Description |
The firewalld service can be enabled with the following command:
$ sudo systemctl enable firewalld.service
|
| Rationale | Access control methods provide the ability to enhance system security posture
by restricting services and known good IP addresses and address ranges. This
prevents connections from unknown hosts and protocols. |
OVAL test results detailspackage firewalld is installed
oval:ssg-test_service_firewalld_package_firewalld_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | firewalld | noarch | (none) | 9.el9_5 | 1.3.4 | 0:1.3.4-9.el9_5 | 199e2f91fd431d51 | firewalld-0:1.3.4-9.el9_5.noarch |
Test that the firewalld service is running
oval:ssg-test_service_running_firewalld:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Unit | Property | Value |
|---|
| true | firewalld.service | ActiveState | active |
systemd test
oval:ssg-test_multi_user_wants_firewalld:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| true | multi-user.target | basic.target | -.mount | sysinit.target | iscsi-starter.service | systemd-network-generator.service | ldconfig.service | proc-sys-fs-binfmt_misc.automount | dracut-shutdown.service | sys-kernel-tracing.mount | sys-kernel-debug.mount | veritysetup.target | dev-hugepages.mount | systemd-pcrphase-sysinit.service | systemd-boot-update.service | lvm2-monitor.service | integritysetup.target | plymouth-read-write.service | systemd-firstboot.service | multipathd.service | systemd-pcrphase.service | sys-fs-fuse-connections.mount | systemd-journal-catalog-update.service | systemd-binfmt.service | systemd-pstore.service | sys-kernel-config.mount | systemd-machine-id-commit.service | local-fs.target | boot-efi.mount | boot.mount | opt-share.mount | ostree-remount.service | systemd-remount-fs.service | systemd-hwdb-update.service | systemd-update-utmp.service | kmod-static-nodes.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | plymouth-start.service | systemd-journald.service | systemd-random-seed.service | swap.target | dev-mapper-rhel_desktop\x2d\x2drncu7uo\x2dswap.swap | selinux-autorelabel-mark.service | systemd-udevd.service | iscsi-onboot.service | systemd-pcrmachine.service | nis-domainname.service | systemd-sysctl.service | lvm2-lvmpolld.socket | systemd-ask-password-console.path | systemd-sysusers.service | systemd-modules-load.service | systemd-update-done.service | systemd-repart.service | systemd-udev-trigger.service | dev-mqueue.mount | cryptsetup.target | systemd-journal-flush.service | systemd-boot-random-seed.service | slices.target | -.slice | system.slice | low-memory-monitor.service | timers.target | logrotate.timer | systemd-tmpfiles-clean.timer | unbound-anchor.timer | mlocate-updatedb.timer | dnf-makecache.timer | paths.target | microcode.service | sockets.target | dm-event.socket | iscsid.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | systemd-udevd-kernel.socket | systemd-coredump.socket | systemd-journald.socket | systemd-initctl.socket | multipathd.socket | iscsiuio.socket | cups.socket | systemd-journald-dev-log.socket | avahi-daemon.socket | NetworkManager.service | insights-client-boot.service | tuned.service | mcelog.service | systemd-ask-password-wall.path | ModemManager.service | rsyslog.service | ostree-readonly-sysroot-migration.service | firewalld.service | systemd-user-sessions.service | sshd.service | vmtoolsd.service | systemd-logind.service | run-vmblock\x2dfuse.mount | sssd.service | atd.service | nessusd.service | libstoragemgmt.service | irqbalance.service | getty.target | getty@tty1.service | plymouth-quit.service | cups.path | kdump.service | rhsmcertd.service | crond.service | chronyd.service | mdmonitor.service | auditd.service | smartd.service | cups.service | avahi-daemon.service | remote-fs.target | systemd-update-utmp-runlevel.service | plymouth-quit-wait.service |
systemd test
oval:ssg-test_multi_user_wants_firewalld_socket:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| false | multi-user.target | basic.target | -.mount | sysinit.target | iscsi-starter.service | systemd-network-generator.service | ldconfig.service | proc-sys-fs-binfmt_misc.automount | dracut-shutdown.service | sys-kernel-tracing.mount | sys-kernel-debug.mount | veritysetup.target | dev-hugepages.mount | systemd-pcrphase-sysinit.service | systemd-boot-update.service | lvm2-monitor.service | integritysetup.target | plymouth-read-write.service | systemd-firstboot.service | multipathd.service | systemd-pcrphase.service | sys-fs-fuse-connections.mount | systemd-journal-catalog-update.service | systemd-binfmt.service | systemd-pstore.service | sys-kernel-config.mount | systemd-machine-id-commit.service | local-fs.target | boot-efi.mount | boot.mount | opt-share.mount | ostree-remount.service | systemd-remount-fs.service | systemd-hwdb-update.service | systemd-update-utmp.service | kmod-static-nodes.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | plymouth-start.service | systemd-journald.service | systemd-random-seed.service | swap.target | dev-mapper-rhel_desktop\x2d\x2drncu7uo\x2dswap.swap | selinux-autorelabel-mark.service | systemd-udevd.service | iscsi-onboot.service | systemd-pcrmachine.service | nis-domainname.service | systemd-sysctl.service | lvm2-lvmpolld.socket | systemd-ask-password-console.path | systemd-sysusers.service | systemd-modules-load.service | systemd-update-done.service | systemd-repart.service | systemd-udev-trigger.service | dev-mqueue.mount | cryptsetup.target | systemd-journal-flush.service | systemd-boot-random-seed.service | slices.target | -.slice | system.slice | low-memory-monitor.service | timers.target | logrotate.timer | systemd-tmpfiles-clean.timer | unbound-anchor.timer | mlocate-updatedb.timer | dnf-makecache.timer | paths.target | microcode.service | sockets.target | dm-event.socket | iscsid.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | systemd-udevd-kernel.socket | systemd-coredump.socket | systemd-journald.socket | systemd-initctl.socket | multipathd.socket | iscsiuio.socket | cups.socket | systemd-journald-dev-log.socket | avahi-daemon.socket | NetworkManager.service | insights-client-boot.service | tuned.service | mcelog.service | systemd-ask-password-wall.path | ModemManager.service | rsyslog.service | ostree-readonly-sysroot-migration.service | firewalld.service | systemd-user-sessions.service | sshd.service | vmtoolsd.service | systemd-logind.service | run-vmblock\x2dfuse.mount | sssd.service | atd.service | nessusd.service | libstoragemgmt.service | irqbalance.service | getty.target | getty@tty1.service | plymouth-quit.service | cups.path | kdump.service | rhsmcertd.service | crond.service | chronyd.service | mdmonitor.service | auditd.service | smartd.service | cups.service | avahi-daemon.service | remote-fs.target | systemd-update-utmp-runlevel.service | plymouth-quit-wait.service |
Firewalld Must Employ a Deny-all, Allow-by-exception Policy for Allowing Connections to Other Systemsxccdf_org.ssgproject.content_rule_configured_firewalld_default_deny mediumCCE-86049-4
Firewalld Must Employ a Deny-all, Allow-by-exception Policy for Allowing Connections to Other Systems
| Rule ID | xccdf_org.ssgproject.content_rule_configured_firewalld_default_deny |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:24:39-05:00 |
| Severity | medium |
| Identifiers: | CCE-86049-4 |
| References: | |
| Description | Red Hat Enterprise Linux 9 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones.
Zones can be utilized to a deny-all, allow-by-exception approach.
The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection. |
| Rationale | Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems.
It also permits outbound connections that may facilitate exfiltration of data. |
Evaluation messagesinfo
No candidate or applicable check found. |
Configure Firewalld to Use the Nftables Backendxccdf_org.ssgproject.content_rule_firewalld-backend mediumCCE-86507-1
Configure Firewalld to Use the Nftables Backend
| Rule ID | xccdf_org.ssgproject.content_rule_firewalld-backend |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-firewalld-backend:def:1 |
| Time | 2025-09-21T20:24:37-05:00 |
| Severity | medium |
| Identifiers: | CCE-86507-1 |
| References: | |
| Description | Firewalld can be configured with many backends, such as nftables. |
| Rationale | Nftables is modern kernel module for controling network connections coming into a system.
Utilizing the limit statement in "nftables" can help to mitigate DoS attacks. |
OVAL test results detailstests the value of FirewallBackend setting in the /etc/firewalld/firewalld.conf file
oval:ssg-test_firewalld-backend:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/firewalld/firewalld.conf | FirewallBackend=nftables |
Install libreswan Packagexccdf_org.ssgproject.content_rule_package_libreswan_installed mediumCCE-84068-6
Install libreswan Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_libreswan_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_libreswan_installed:def:1 |
| Time | 2025-09-21T20:24:39-05:00 |
| Severity | medium |
| Identifiers: | CCE-84068-6 |
| References: | | cis-csc | 12, 15, 3, 5, 8 | | cobit5 | APO13.01, DSS01.04, DSS05.02, DSS05.03, DSS05.04 | | isa-62443-2009 | 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8 | | isa-62443-2013 | SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.4, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.15.1.1, A.15.2.1, A.6.2.1, A.6.2.2 | | nist | CM-6(a) | | nist-csf | PR.AC-3, PR.MA-2, PR.PT-4 | | pcidss | Req-4.1 | | os-srg | SRG-OS-000480-GPOS-00227, SRG-OS-000120-GPOS-00061 | | stigid | RHEL-09-252065 | | stigref | SV-257954r1045008_rule |
|
| Description | The libreswan package provides an implementation of IPsec
and IKE, which permits the creation of secure tunnels over
untrusted networks. The libreswan package can be installed with the following command:
$ sudo dnf install libreswan
|
| Rationale | Providing the ability for remote users or systems
to initiate a secure VPN connection protects information when it is
transmitted over a wide area network. |
OVAL test results detailspackage libreswan is installed
oval:ssg-test_package_libreswan_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | libreswan | x86_64 | (none) | 8.el9 | 4.15 | 0:4.15-8.el9 | 199e2f91fd431d51 | libreswan-0:4.15-8.el9.x86_64 |
Verify Any Configured IPSec Tunnel Connectionsxccdf_org.ssgproject.content_rule_libreswan_approved_tunnels mediumCCE-90319-5
Verify Any Configured IPSec Tunnel Connections
| Rule ID | xccdf_org.ssgproject.content_rule_libreswan_approved_tunnels |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:24:39-05:00 |
| Severity | medium |
| Identifiers: | CCE-90319-5 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9 | | cobit5 | APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02 | | hipaa | 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | isa-62443-2009 | 4.2.3.4, 4.3.3.4, 4.4.3.3 | | isa-62443-2013 | SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | AC-17(a), MA-4(6), CM-6(a), AC-4, SC-8 | | nist-csf | DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-252045 | | stigref | SV-257950r1045006_rule |
|
| Description | Libreswan provides an implementation of IPsec
and IKE, which permits the creation of secure tunnels over
untrusted networks. As such, IPsec can be used to circumvent certain
network requirements such as filtering. Verify that if any IPsec connection
(conn) configured in /etc/ipsec.conf and /etc/ipsec.d
exists is an approved organizational connection. |
| Rationale | IP tunneling mechanisms can be used to bypass network filtering. |
| Warnings | warning
Automatic remediation of this control is not available due to the unique
requirements of each system. |
Evaluation messagesinfo
No candidate or applicable check found. |
Configure Accepting Router Advertisements on All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra mediumCCE-84120-5
Configure Accepting Router Advertisements on All IPv6 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_all_accept_ra:def:1 |
| Time | 2025-09-21T20:24:39-05:00 |
| Severity | medium |
| Identifiers: | CCE-84120-5 |
| References: | | cis-csc | 11, 14, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06 | | cui | 3.1.20 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.IP-1, PR.PT-3 | | os-srg | SRG-OS-000480-GPOS-00227 | | ccn | A.8.SEC-RHEL6 | | cis | 3.3.11 | | stigid | RHEL-09-254010 | | stigref | SV-257971r991589_rule |
|
| Description | To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra = 0
|
| Rationale | An illicit router advertisement message could result in a man-in-the-middle attack. |
|
|
|
OVAL test results detailsnet.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.all.accept_ra static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_accept_ra:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_accept_ra:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_accept_ra:obj:1
|
net.ipv6.conf.all.accept_ra static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_accept_ra:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_accept_ra:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_accept_ra:obj:1
|
net.ipv6.conf.all.accept_ra static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_accept_ra:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.accept_ra set to the appropriate value
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv6.conf.all.accept_ra | 1 |
Disable Accepting ICMP Redirects for All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects mediumCCE-84125-4
Disable Accepting ICMP Redirects for All IPv6 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_all_accept_redirects:def:1 |
| Time | 2025-09-21T20:24:39-05:00 |
| Severity | medium |
| Identifiers: | CCE-84125-4 |
| References: | | cis-csc | 11, 14, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06 | | cui | 3.1.20 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv) | | nist-csf | PR.IP-1, PR.PT-3 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R13 | | ccn | A.8.SEC-RHEL6 | | cis | 3.3.5 | | stigid | RHEL-09-254015 | | stigref | SV-257972r991589_rule |
|
| Description | To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_redirects = 0
|
| Rationale | An illicit ICMP redirect message could result in a man-in-the-middle attack. |
OVAL test results detailsnet.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.all.accept_redirects static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_user:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/sysctl.d/50-libreswan.conf | net.ipv6.conf.all.accept_redirects = 0 |
net.ipv6.conf.all.accept_redirects static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_user_missing:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/sysctl.d/50-libreswan.conf | net.ipv6.conf.all.accept_redirects = 0 |
net.ipv6.conf.all.accept_redirects static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.accept_redirects set to the appropriate value
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | net.ipv6.conf.all.accept_redirects | 0 |
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route mediumCCE-84131-2
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_all_accept_source_route:def:1 |
| Time | 2025-09-21T20:24:39-05:00 |
| Severity | medium |
| Identifiers: | CCE-84131-2 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9 | | cobit5 | APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02 | | cui | 3.1.20 | | isa-62443-2009 | 4.2.3.4, 4.3.3.4, 4.4.3.3 | | isa-62443-2013 | SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-7(a), CM-7(b), CM-6(a) | | nist-csf | DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R13 | | ccn | A.8.SEC-RHEL6 | | cis | 3.3.8 | | stigid | RHEL-09-254020 | | stigref | SV-257973r991589_rule |
|
| Description | To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_source_route = 0
|
| Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.
Accepting source-routed packets in the IPv6 protocol has few legitimate
uses. It should be disabled unless it is absolutely required. |
|
|
|
OVAL test results detailsnet.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.all.accept_source_route static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_accept_source_route:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_accept_source_route:obj:1
|
net.ipv6.conf.all.accept_source_route static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_accept_source_route:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_accept_source_route:obj:1
|
net.ipv6.conf.all.accept_source_route static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.accept_source_route set to the appropriate value
oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | net.ipv6.conf.all.accept_source_route | 0 |
Disable Kernel Parameter for IPv6 Forwardingxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding mediumCCE-84114-8
Disable Kernel Parameter for IPv6 Forwarding
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_all_forwarding:def:1 |
| Time | 2025-09-21T20:24:39-05:00 |
| Severity | medium |
| Identifiers: | CCE-84114-8 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9 | | cobit5 | APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv) | | nist-csf | DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3 | | os-srg | SRG-OS-000480-GPOS-00227 | | cis | 3.3.1 | | stigid | RHEL-09-254025 | | stigref | SV-257974r991589_rule |
|
| Description | To set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.forwarding=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.forwarding = 0
|
| Rationale | IP forwarding permits the kernel to forward packets from one network
interface to another. The ability to forward packets between two networks is
only appropriate for systems acting as routers. |
|
|
OVAL test results detailsnet.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.all.forwarding static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_forwarding:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_forwarding:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_forwarding:obj:1
|
net.ipv6.conf.all.forwarding static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_forwarding:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_forwarding:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_forwarding:obj:1
|
net.ipv6.conf.all.forwarding static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_forwarding:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.forwarding[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.forwarding set to the appropriate value
oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | net.ipv6.conf.all.forwarding | 0 |
Disable Accepting Router Advertisements on all IPv6 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra mediumCCE-84124-7
Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_default_accept_ra:def:1 |
| Time | 2025-09-21T20:24:39-05:00 |
| Severity | medium |
| Identifiers: | CCE-84124-7 |
| References: | | cis-csc | 11, 14, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06 | | cui | 3.1.20 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.IP-1, PR.PT-3 | | os-srg | SRG-OS-000480-GPOS-00227 | | ccn | A.8.SEC-RHEL6 | | cis | 3.3.11 | | stigid | RHEL-09-254030 | | stigref | SV-257975r991589_rule |
|
| Description | To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra = 0
|
| Rationale | An illicit router advertisement message could result in a man-in-the-middle attack. |
|
|
|
OVAL test results detailsnet.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.default.accept_ra static configuration
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_default_accept_ra:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_default_accept_ra:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_ra:obj:1
|
net.ipv6.conf.default.accept_ra static configuration
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_default_accept_ra:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_default_accept_ra:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_ra:obj:1
|
net.ipv6.conf.default.accept_ra static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_default_accept_ra:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.default.accept_ra set to the appropriate value
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv6.conf.default.accept_ra | 1 |
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects mediumCCE-84113-0
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_default_accept_redirects:def:1 |
| Time | 2025-09-21T20:24:39-05:00 |
| Severity | medium |
| Identifiers: | CCE-84113-0 |
| References: | | cis-csc | 11, 14, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06 | | cui | 3.1.20 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.IP-1, PR.PT-3 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R13 | | ccn | A.8.SEC-RHEL6 | | cis | 3.3.5 | | stigid | RHEL-09-254035 | | stigref | SV-257976r991589_rule |
|
| Description | To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_redirects = 0
|
| Rationale | An illicit ICMP redirect message could result in a man-in-the-middle attack. |
OVAL test results detailsnet.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.default.accept_redirects static configuration
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_user:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/sysctl.d/50-libreswan.conf | net.ipv6.conf.default.accept_redirects = 0 |
net.ipv6.conf.default.accept_redirects static configuration
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_user_missing:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/sysctl.d/50-libreswan.conf | net.ipv6.conf.default.accept_redirects = 0 |
net.ipv6.conf.default.accept_redirects static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.default.accept_redirects set to the appropriate value
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | net.ipv6.conf.default.accept_redirects | 0 |
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route mediumCCE-84130-4
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_default_accept_source_route:def:1 |
| Time | 2025-09-21T20:24:39-05:00 |
| Severity | medium |
| Identifiers: | CCE-84130-4 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9 | | cobit5 | APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02 | | cui | 3.1.20 | | isa-62443-2009 | 4.2.3.4, 4.3.3.4, 4.4.3.3 | | isa-62443-2013 | SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv) | | nist-csf | DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4 | | pcidss | Req-1.4.3 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R13 | | ccn | A.8.SEC-RHEL6 | | cis | 3.3.8 | | pcidss4 | 1.4.2, 1.4 | | stigid | RHEL-09-254040 | | stigref | SV-257977r991589_rule |
|
| Description | To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_source_route = 0
|
| Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.
Accepting source-routed packets in the IPv6 protocol has few legitimate
uses. It should be disabled unless it is absolutely required. |
|
|
|
OVAL test results detailsnet.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1
|
net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.default.accept_source_route static configuration
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_default_accept_source_route:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_source_route:obj:1
|
net.ipv6.conf.default.accept_source_route static configuration
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_default_accept_source_route:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_source_route:obj:1
|
net.ipv6.conf.default.accept_source_route static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv6.conf.default.accept_source_route set to the appropriate value
oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | net.ipv6.conf.default.accept_source_route | 0 |
Disable Accepting ICMP Redirects for All IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects mediumCCE-84011-6
Disable Accepting ICMP Redirects for All IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_all_accept_redirects:def:1 |
| Time | 2025-09-21T20:24:39-05:00 |
| Severity | medium |
| Identifiers: | CCE-84011-6 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9 | | cjis | 5.10.1.1 | | cobit5 | APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06 | | cui | 3.1.20 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a), SC-7(a) | | nist-csf | DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R12 | | ccn | A.8.SEC-RHEL6 | | cis | 3.3.5 | | stigid | RHEL-09-253015 | | stigref | SV-257958r991589_rule |
|
| Description | To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_redirects = 0
|
| Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be
disabled unless absolutely required." |
OVAL test results detailsnet.ipv4.conf.all.accept_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_user:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/sysctl.d/50-libreswan.conf | net.ipv4.conf.all.accept_redirects = 0
|
net.ipv4.conf.all.accept_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_user_missing:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/sysctl.d/50-libreswan.conf | net.ipv4.conf.all.accept_redirects = 0
|
net.ipv4.conf.all.accept_redirects static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.all.accept_redirects set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | net.ipv4.conf.all.accept_redirects | 0 |
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route mediumCCE-84001-7
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_all_accept_source_route:def:1 |
| Time | 2025-09-21T20:24:39-05:00 |
| Severity | medium |
| Identifiers: | CCE-84001-7 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9 | | cobit5 | APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06 | | cui | 3.1.20 | | isa-62443-2009 | 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1 | | nist | CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a) | | nist-csf | DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R12 | | ccn | A.8.SEC-RHEL6 | | cis | 3.3.8 | | stigid | RHEL-09-253020 | | stigref | SV-257959r991589_rule |
|
| Description | To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_source_route = 0
|
| Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures. This requirement
applies only to the forwarding of source-routerd traffic, such as when IPv4
forwarding is enabled and the system is functioning as a router.
Accepting source-routed packets in the IPv4 protocol has few legitimate
uses. It should be disabled unless it is absolutely required. |
|
|
|
OVAL test results detailsnet.ipv4.conf.all.accept_source_route static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_accept_source_route:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_accept_source_route:obj:1
|
net.ipv4.conf.all.accept_source_route static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_accept_source_route:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_accept_source_route:obj:1
|
net.ipv4.conf.all.accept_source_route static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.all.accept_source_route set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | net.ipv4.conf.all.accept_source_route | 0 |
Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding mediumCCE-87181-4
Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_all_forwarding:def:1 |
| Time | 2025-09-21T20:24:39-05:00 |
| Severity | medium |
| Identifiers: | CCE-87181-4 |
| References: | |
| Description | To set the runtime status of the net.ipv4.conf.all.forwarding kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.forwarding=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.forwarding = 0
|
| Rationale | IP forwarding permits the kernel to forward packets from one network
interface to another. The ability to forward packets between two networks is
only appropriate for systems acting as routers. |
| Warnings | warning
There might be cases when certain applications can systematically override this option.
One such case is Libvirt; a toolkit for managing of virtualization platforms.
By default, Libvirt requires IP forwarding to be enabled to facilitate
network communication between the virtualization host and guest
machines. It enables IP forwarding after every reboot. |
|
|
OVAL test results detailsnet.ipv4.conf.all.forwarding static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_forwarding_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_forwarding:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_forwarding:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_forwarding:obj:1
|
net.ipv4.conf.all.forwarding static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_forwarding_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_forwarding:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_forwarding:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_forwarding:obj:1
|
net.ipv4.conf.all.forwarding static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_all_forwarding_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_forwarding:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.all.forwarding[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.all.forwarding set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_conf_all_forwarding_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | net.ipv4.conf.all.forwarding | 0 |
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians unknownCCE-84000-9
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_all_log_martians:def:1 |
| Time | 2025-09-21T20:24:39-05:00 |
| Severity | unknown |
| Identifiers: | CCE-84000-9 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9 | | cobit5 | APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.04, DSS03.05, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.06 | | cui | 3.1.20 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.2.1, A.6.2.2, A.9.1.2 | | nist | CM-7(a), CM-7(b), SC-5(3)(a) | | nist-csf | DE.CM-1, PR.AC-3, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4 | | os-srg | SRG-OS-000480-GPOS-00227 | | ccn | A.8.SEC-RHEL6 | | cis | 3.3.9 | | stigid | RHEL-09-253025 | | stigref | SV-257960r991589_rule |
|
| Description | To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.log_martians=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.log_martians = 1
|
| Rationale | The presence of "martian" packets (which have impossible addresses)
as well as spoofed packets, source-routed packets, and redirects could be a
sign of nefarious network activity. Logging these packets enables this activity
to be detected. |
|
|
|
OVAL test results detailsnet.ipv4.conf.all.log_martians static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_log_martians:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_log_martians:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_log_martians:obj:1
|
net.ipv4.conf.all.log_martians static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_log_martians:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_log_martians:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_log_martians:obj:1
|
net.ipv4.conf.all.log_martians static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_log_martians:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.all.log_martians set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv4.conf.all.log_martians | 0 |
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter mediumCCE-84008-2
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_all_rp_filter:def:1 |
| Time | 2025-09-21T20:24:39-05:00 |
| Severity | medium |
| Identifiers: | CCE-84008-2 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9 | | cobit5 | APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02 | | cui | 3.1.20 | | isa-62443-2009 | 4.2.3.4, 4.3.3.4, 4.4.3.3 | | isa-62443-2013 | SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-7(a), CM-7(b), CM-6(a), SC-7(a) | | nist-csf | DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4 | | pcidss | Req-1.4.3 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R12 | | ccn | A.8.SEC-RHEL6 | | cis | 3.3.7 | | pcidss4 | 1.4.3, 1.4 | | stigid | RHEL-09-253035 | | stigref | SV-257962r991589_rule |
|
| Description | To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1
|
| Rationale | Enabling reverse path filtering drops packets with source addresses
that should not have been able to be received on the interface they were
received on. It should not be used on systems which are routers for
complicated networks, but is helpful for end hosts and routers serving small
networks. |
|
|
|
OVAL test results detailsnet.ipv4.conf.all.rp_filter static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_rp_filter:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_rp_filter:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_rp_filter:obj:1
|
net.ipv4.conf.all.rp_filter static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_rp_filter:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_rp_filter:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_rp_filter:obj:1
|
net.ipv4.conf.all.rp_filter static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_rp_filter:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.all.rp_filter set to 1 or 2
oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv4.conf.all.rp_filter | 0 |
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects mediumCCE-84003-3
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_default_accept_redirects:def:1 |
| Time | 2025-09-21T20:24:39-05:00 |
| Severity | medium |
| Identifiers: | CCE-84003-3 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9 | | cjis | 5.10.1.1 | | cobit5 | APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06 | | cui | 3.1.20 | | isa-62443-2009 | 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-7(a), CM-7(b), CM-6(a), SC-7(a) | | nist-csf | DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4 | | pcidss | Req-1.4.3 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R12 | | ccn | A.8.SEC-RHEL6 | | cis | 3.3.5 | | pcidss4 | 1.4.3, 1.4 | | stigid | RHEL-09-253040 | | stigref | SV-257963r991589_rule |
|
| Description | To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0
|
| Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should
be disabled unless absolutely required. |
OVAL test results detailsnet.ipv4.conf.default.accept_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_user:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/sysctl.d/50-libreswan.conf | net.ipv4.conf.default.accept_redirects = 0 |
net.ipv4.conf.default.accept_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_user_missing:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/sysctl.d/50-libreswan.conf | net.ipv4.conf.default.accept_redirects = 0 |
net.ipv4.conf.default.accept_redirects static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.default.accept_redirects set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | net.ipv4.conf.default.accept_redirects | 0 |
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route mediumCCE-84007-4
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_default_accept_source_route:def:1 |
| Time | 2025-09-21T20:24:39-05:00 |
| Severity | medium |
| Identifiers: | CCE-84007-4 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9 | | cjis | 5.10.1.1 | | cobit5 | APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06 | | cui | 3.1.20 | | isa-62443-2009 | 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1 | | nist | CM-7(a), CM-7(b), SC-5, SC-7(a) | | nist-csf | DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R12 | | ccn | A.8.SEC-RHEL6 | | cis | 3.3.8 | | stigid | RHEL-09-253045 | | stigref | SV-257964r991589_rule |
|
| Description | To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_source_route = 0
|
| Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures.
Accepting source-routed packets in the IPv4 protocol has few legitimate
uses. It should be disabled unless it is absolutely required, such as when
IPv4 forwarding is enabled and the system is legitimately functioning as a
router. |
OVAL test results detailsnet.ipv4.conf.default.accept_source_route static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_accept_source_route:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_accept_source_route:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_accept_source_route:obj:1
|
net.ipv4.conf.default.accept_source_route static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_accept_source_route:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_accept_source_route:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_accept_source_route:obj:1
|
net.ipv4.conf.default.accept_source_route static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_pkg_correct:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /usr/lib/sysctl.d/50-default.conf | net.ipv4.conf.default.accept_source_route = 0 |
kernel runtime parameter net.ipv4.conf.default.accept_source_route set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | net.ipv4.conf.default.accept_source_route | 0 |
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians unknownCCE-84014-0
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_default_log_martians:def:1 |
| Time | 2025-09-21T20:24:39-05:00 |
| Severity | unknown |
| Identifiers: | CCE-84014-0 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9 | | cobit5 | APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.04, DSS03.05, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.06 | | cui | 3.1.20 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.2.1, A.6.2.2, A.9.1.2 | | nist | CM-7(a), CM-7(b), SC-5(3)(a) | | nist-csf | DE.CM-1, PR.AC-3, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4 | | os-srg | SRG-OS-000480-GPOS-00227 | | ccn | A.8.SEC-RHEL6 | | cis | 3.3.9 | | stigid | RHEL-09-253030 | | stigref | SV-257961r991589_rule |
|
| Description | To set the runtime status of the net.ipv4.conf.default.log_martians kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.log_martians=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.log_martians = 1
|
| Rationale | The presence of "martian" packets (which have impossible addresses)
as well as spoofed packets, source-routed packets, and redirects could be a
sign of nefarious network activity. Logging these packets enables this activity
to be detected. |
|
|
|
OVAL test results detailsnet.ipv4.conf.default.log_martians static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_log_martians:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_log_martians:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_log_martians:obj:1
|
net.ipv4.conf.default.log_martians static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_log_martians:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_log_martians:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_log_martians:obj:1
|
net.ipv4.conf.default.log_martians static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_default_log_martians:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.default.log_martians set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.ipv4.conf.default.log_martians | 0 |
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter mediumCCE-84009-0
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_default_rp_filter:def:1 |
| Time | 2025-09-21T20:24:39-05:00 |
| Severity | medium |
| Identifiers: | CCE-84009-0 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9 | | cobit5 | APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02 | | cui | 3.1.20 | | isa-62443-2009 | 4.2.3.4, 4.3.3.4, 4.4.3.3 | | isa-62443-2013 | SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-7(a), CM-7(b), CM-6(a), SC-7(a) | | nist-csf | DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R12 | | ccn | A.8.SEC-RHEL6 | | cis | 3.3.7 | | stigid | RHEL-09-253050 | | stigref | SV-257965r991589_rule |
|
| Description | To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.rp_filter = 1
|
| Rationale | Enabling reverse path filtering drops packets with source addresses
that should not have been able to be received on the interface they were
received on. It should not be used on systems which are routers for
complicated networks, but is helpful for end hosts and routers serving small
networks. |
|
|
|
OVAL test results detailsnet.ipv4.conf.default.rp_filter static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_rp_filter:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_rp_filter:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_rp_filter:obj:1
|
net.ipv4.conf.default.rp_filter static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_rp_filter:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_rp_filter:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_rp_filter:obj:1
|
net.ipv4.conf.default.rp_filter static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static_pkg_correct:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /usr/lib/sysctl.d/50-default.conf | net.ipv4.conf.default.rp_filter = 2 |
| true | /usr/lib/sysctl.d/50-redhat.conf | net.ipv4.conf.default.rp_filter = 1 |
kernel runtime parameter net.ipv4.conf.default.rp_filter set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | net.ipv4.conf.default.rp_filter | 1 |
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts mediumCCE-84004-1
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts:def:1 |
| Time | 2025-09-21T20:24:39-05:00 |
| Severity | medium |
| Identifiers: | CCE-84004-1 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9 | | cjis | 5.10.1.1 | | cobit5 | APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06 | | cui | 3.1.20 | | isa-62443-2009 | 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1 | | nist | CM-7(a), CM-7(b), SC-5 | | nist-csf | DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4 | | pcidss | Req-1.4.3 | | os-srg | SRG-OS-000480-GPOS-00227 | | ccn | A.8.SEC-RHEL6 | | cis | 3.3.4 | | pcidss4 | 1.4.2, 1.4 | | stigid | RHEL-09-253055 | | stigref | SV-257966r991589_rule |
|
| Description | To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_echo_ignore_broadcasts = 1
|
| Rationale | Responding to broadcast (ICMP) echoes facilitates network mapping
and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings) sent to broadcast or multicast
addresses makes the system slightly more difficult to enumerate on the network. |
|
|
|
OVAL test results detailsnet.ipv4.icmp_echo_ignore_broadcasts static configuration
oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1
|
net.ipv4.icmp_echo_ignore_broadcasts static configuration
oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1
|
net.ipv4.icmp_echo_ignore_broadcasts static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.icmp_echo_ignore_broadcasts set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | net.ipv4.icmp_echo_ignore_broadcasts | 1 |
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses unknownCCE-84015-7
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses:def:1 |
| Time | 2025-09-21T20:24:39-05:00 |
| Severity | unknown |
| Identifiers: | CCE-84015-7 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9 | | cobit5 | APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06 | | cui | 3.1.20 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2 | | nerc-cip | CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1 | | nist | CM-7(a), CM-7(b), SC-5 | | nist-csf | DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3 | | pcidss | Req-1.4.3 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R12 | | ccn | A.8.SEC-RHEL6 | | cis | 3.3.3 | | pcidss4 | 1.4.2, 1.4 | | stigid | RHEL-09-253060 | | stigref | SV-257967r991589_rule |
|
| Description | To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_ignore_bogus_error_responses = 1
|
| Rationale | Ignoring bogus ICMP error responses reduces
log size, although some activity would not be logged. |
|
|
|
OVAL test results detailsnet.ipv4.icmp_ignore_bogus_error_responses static configuration
oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1
|
net.ipv4.icmp_ignore_bogus_error_responses static configuration
oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1
|
net.ipv4.icmp_ignore_bogus_error_responses static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.icmp_ignore_bogus_error_responses set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | net.ipv4.icmp_ignore_bogus_error_responses | 1 |
Enable Kernel Parameter to Use TCP Syncookies on Network Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies mediumCCE-84006-6
Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_tcp_syncookies:def:1 |
| Time | 2025-09-21T20:24:40-05:00 |
| Severity | medium |
| Identifiers: | CCE-84006-6 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9 | | cjis | 5.10.1.1 | | cobit5 | APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02 | | cui | 3.1.20 | | isa-62443-2009 | 4.2.3.4, 4.3.3.4, 4.4.3.3 | | isa-62443-2013 | SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-7(a), CM-7(b), SC-5(1), SC-5(2), SC-5(3)(a), CM-6(a) | | nist-csf | DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4 | | pcidss | Req-1.4.1 | | os-srg | SRG-OS-000480-GPOS-00227, SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00071 | | anssi | R12 | | ccn | A.8.SEC-RHEL6 | | cis | 3.3.10 | | pcidss4 | 1.4.3, 1.4 | | stigid | RHEL-09-253010 | | stigref | SV-257957r1045009_rule |
|
| Description | To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1
|
| Rationale | A TCP SYN flood attack can cause a denial of service by filling a
system's TCP connection table with connections in the SYN_RCVD state.
Syncookies can be used to track a connection when a subsequent ACK is received,
verifying the initiator is attempting a valid connection and is not a flood
source. This feature is activated when a flood condition is detected, and
enables the system to continue servicing valid connection requests. |
|
|
|
OVAL test results detailsnet.ipv4.tcp_syncookies static configuration
oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_tcp_syncookies:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_tcp_syncookies:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_tcp_syncookies:obj:1
|
net.ipv4.tcp_syncookies static configuration
oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_ipv4_tcp_syncookies:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_tcp_syncookies:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_tcp_syncookies:obj:1
|
net.ipv4.tcp_syncookies static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_tcp_syncookies:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.tcp_syncookies[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.tcp_syncookies set to the appropriate value
oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | net.ipv4.tcp_syncookies | 1 |
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects mediumCCE-83997-7
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_all_send_redirects:def:1 |
| Time | 2025-09-21T20:24:40-05:00 |
| Severity | medium |
| Identifiers: | CCE-83997-7 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9 | | cjis | 5.10.1.1 | | cobit5 | APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06 | | cui | 3.1.20 | | isa-62443-2009 | 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1 | | nist | CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a) | | nist-csf | DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R12 | | ccn | A.8.SEC-RHEL6 | | cis | 3.3.2 | | pcidss4 | 1.4.5, 1.4 | | stigid | RHEL-09-253065 | | stigref | SV-257968r991589_rule |
|
| Description | To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.send_redirects = 0
|
| Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers. |
OVAL test results detailsnet.ipv4.conf.all.send_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_user:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/sysctl.d/50-libreswan.conf | net.ipv4.conf.all.send_redirects = 0 |
net.ipv4.conf.all.send_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_user_missing:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/sysctl.d/50-libreswan.conf | net.ipv4.conf.all.send_redirects = 0 |
net.ipv4.conf.all.send_redirects static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_send_redirects:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.all.send_redirects set to 0
oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | net.ipv4.conf.all.send_redirects | 0 |
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects mediumCCE-83999-3
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_default_send_redirects:def:1 |
| Time | 2025-09-21T20:24:40-05:00 |
| Severity | medium |
| Identifiers: | CCE-83999-3 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9 | | cjis | 5.10.1.1 | | cobit5 | APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06 | | cui | 3.1.20 | | isa-62443-2009 | 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1 | | nist | CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a) | | nist-csf | DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R12 | | ccn | A.8.SEC-RHEL6 | | cis | 3.3.2 | | pcidss4 | 1.4.5, 1.4 | | stigid | RHEL-09-253070 | | stigref | SV-257969r991589_rule |
|
| Description | To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.send_redirects = 0
|
| Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers. |
OVAL test results detailsnet.ipv4.conf.default.send_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_user:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/sysctl.d/50-libreswan.conf | net.ipv4.conf.default.send_redirects = 0 |
net.ipv4.conf.default.send_redirects static configuration
oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_user_missing:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/sysctl.d/50-libreswan.conf | net.ipv4.conf.default.send_redirects = 0 |
net.ipv4.conf.default.send_redirects static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_default_send_redirects:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.ipv4.conf.default.send_redirects set to 0
oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | net.ipv4.conf.default.send_redirects | 0 |
Disable ATM Supportxccdf_org.ssgproject.content_rule_kernel_module_atm_disabled mediumCCE-84137-9
Disable ATM Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_atm_disabled:def:1 |
| Time | 2025-09-21T20:24:40-05:00 |
| Severity | medium |
| Identifiers: | CCE-84137-9 |
| References: | |
| Description | The Asynchronous Transfer Mode (ATM) is a protocol operating on
network, data link, and physical layers, based on virtual circuits
and virtual paths.
To configure the system to prevent the atm
kernel module from being loaded, add the following line to the file /etc/modprobe.d/atm.conf:
install atm /bin/false
|
| Rationale | Disabling ATM protects the system against exploitation of any
flaws in its implementation. |
|
|
|
OVAL test results detailskernel module atm blacklisted
oval:ssg-test_kernmod_atm_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_atm_blacklisted:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+atm$ | 1 |
kernel module atm disabled
oval:ssg-test_kernmod_atm_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_atm_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+atm\s+(/bin/false|/bin/true)$ | 1 |
Disable CAN Supportxccdf_org.ssgproject.content_rule_kernel_module_can_disabled mediumCCE-84134-6
Disable CAN Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_can_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_can_disabled:def:1 |
| Time | 2025-09-21T20:24:40-05:00 |
| Severity | medium |
| Identifiers: | CCE-84134-6 |
| References: | |
| Description | The Controller Area Network (CAN) is a serial communications
protocol which was initially developed for automotive and
is now also used in marine, industrial, and medical applications.
To configure the system to prevent the can
kernel module from being loaded, add the following line to the file /etc/modprobe.d/can.conf:
install can /bin/false
|
| Rationale | Disabling CAN protects the system against exploitation of any
flaws in its implementation. |
|
|
|
OVAL test results detailskernel module can blacklisted
oval:ssg-test_kernmod_can_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_can_blacklisted:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+can$ | 1 |
kernel module can disabled
oval:ssg-test_kernmod_can_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_can_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+can\s+(/bin/false|/bin/true)$ | 1 |
Disable IEEE 1394 (FireWire) Supportxccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled lowCCE-84060-3
Disable IEEE 1394 (FireWire) Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_firewire-core_disabled:def:1 |
| Time | 2025-09-21T20:24:40-05:00 |
| Severity | low |
| Identifiers: | CCE-84060-3 |
| References: | |
| Description | The IEEE 1394 (FireWire) is a serial bus standard for
high-speed real-time communication.
To configure the system to prevent the firewire-core
kernel module from being loaded, add the following line to the file /etc/modprobe.d/firewire-core.conf:
install firewire-core /bin/false
|
| Rationale | Disabling FireWire protects the system against exploitation of any
flaws in its implementation. |
|
|
|
OVAL test results detailskernel module firewire-core blacklisted
oval:ssg-test_kernmod_firewire-core_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_firewire-core_blacklisted:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+firewire-core$ | 1 |
kernel module firewire-core disabled
oval:ssg-test_kernmod_firewire-core_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_firewire-core_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ | 1 |
Disable SCTP Supportxccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled mediumCCE-84139-5
Disable SCTP Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_sctp_disabled:def:1 |
| Time | 2025-09-21T20:24:40-05:00 |
| Severity | medium |
| Identifiers: | CCE-84139-5 |
| References: | | cis-csc | 11, 14, 3, 9 | | cjis | 5.10.1 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06 | | cui | 3.4.6 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.IP-1, PR.PT-3 | | ospp | FMT_SMF_EXT.1 | | pcidss | Req-1.4.2 | | os-srg | SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227 | | cis | 3.2.4 | | pcidss4 | 1.4.2, 1.4 | | stigid | RHEL-09-213060 | | stigref | SV-257807r1044862_rule |
|
| Description | The Stream Control Transmission Protocol (SCTP) is a
transport layer protocol, designed to support the idea of
message-oriented communication, with several streams of messages
within one connection.
To configure the system to prevent the sctp
kernel module from being loaded, add the following line to the file /etc/modprobe.d/sctp.conf:
install sctp /bin/false
|
| Rationale | Disabling SCTP protects
the system against exploitation of any flaws in its implementation. |
|
|
|
OVAL test results detailskernel module sctp blacklisted
oval:ssg-test_kernmod_sctp_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_sctp_blacklisted:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+sctp$ | 1 |
kernel module sctp disabled
oval:ssg-test_kernmod_sctp_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_sctp_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ | 1 |
Disable TIPC Supportxccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled lowCCE-84065-2
Disable TIPC Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_tipc_disabled:def:1 |
| Time | 2025-09-21T20:24:40-05:00 |
| Severity | low |
| Identifiers: | CCE-84065-2 |
| References: | | cis-csc | 11, 14, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.IP-1, PR.PT-3 | | ospp | FMT_SMF_EXT.1 | | os-srg | SRG-OS-000095-GPOS-00049 | | cis | 3.2.2 | | stigid | RHEL-09-213065 | | stigref | SV-257808r1044865_rule |
|
| Description | The Transparent Inter-Process Communication (TIPC) protocol
is designed to provide communications between nodes in a
cluster.
To configure the system to prevent the tipc
kernel module from being loaded, add the following line to the file /etc/modprobe.d/tipc.conf:
install tipc /bin/false
|
| Rationale | Disabling TIPC protects
the system against exploitation of any flaws in its implementation. |
| Warnings | warning
This configuration baseline was created to deploy the base operating system for general purpose
workloads. When the operating system is configured for certain purposes, such as
a node in High Performance Computing cluster, it is expected that
the tipc kernel module will be loaded. |
|
|
|
OVAL test results detailskernel module tipc blacklisted
oval:ssg-test_kernmod_tipc_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_tipc_blacklisted:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+tipc$ | 1 |
kernel module tipc disabled
oval:ssg-test_kernmod_tipc_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_tipc_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ | 1 |
Disable Bluetooth Kernel Modulexccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled mediumCCE-84067-8
Disable Bluetooth Kernel Module
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_bluetooth_disabled:def:1 |
| Time | 2025-09-21T20:24:40-05:00 |
| Severity | medium |
| Identifiers: | CCE-84067-8 |
| References: | | cis-csc | 11, 12, 14, 15, 3, 8, 9 | | cjis | 5.13.1.3 | | cobit5 | APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06 | | cui | 3.1.16 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2 | | nist | AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7 | | nist-csf | PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4 | | ospp | FMT_SMF_EXT.1 | | os-srg | SRG-OS-000095-GPOS-00049, SRG-OS-000300-GPOS-00118 | | stigid | RHEL-09-291035 | | stigref | SV-258039r1045131_rule |
|
| Description | The kernel's module loading system can be configured to prevent
loading of the Bluetooth module. Add the following to
the appropriate /etc/modprobe.d configuration file
to prevent the loading of the Bluetooth module:
install bluetooth /bin/true
|
| Rationale | If Bluetooth functionality must be disabled, preventing the kernel
from loading the kernel module provides an additional safeguard against its
activation. |
|
|
|
OVAL test results detailskernel module bluetooth blacklisted
oval:ssg-test_kernmod_bluetooth_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_bluetooth_blacklisted:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+bluetooth$ | 1 |
kernel module bluetooth disabled
oval:ssg-test_kernmod_bluetooth_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_bluetooth_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ | 1 |
Deactivate Wireless Network Interfacesxccdf_org.ssgproject.content_rule_wireless_disable_interfaces mediumCCE-84066-0
Deactivate Wireless Network Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_wireless_disable_interfaces |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:24:40-05:00 |
| Severity | medium |
| Identifiers: | CCE-84066-0 |
| References: | | cis-csc | 11, 12, 14, 15, 3, 8, 9 | | cobit5 | APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06 | | cui | 3.1.16 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | | ism | 1315, 1319 | | iso27001-2013 | A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2 | | nist | AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7 | | nist-csf | PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4 | | pcidss | Req-1.3.3 | | os-srg | SRG-OS-000299-GPOS-00117, SRG-OS-000300-GPOS-00118, SRG-OS-000424-GPOS-00188, SRG-OS-000481-GPOS-00481 | | cis | 3.1.2 | | pcidss4 | 1.3.3, 1.3 | | stigid | RHEL-09-291040 | | stigref | SV-258040r991568_rule |
|
| Description | Deactivating wireless network interfaces should prevent normal usage of the wireless
capability.
Configure the system to disable all wireless network interfaces with the following command:
$ sudo nmcli radio all off
|
| Rationale | The use of wireless networking can introduce many different attack vectors into
the organization's network. Common attack vectors such as malicious association
and ad hoc networks will allow an attacker to spoof a wireless access point
(AP), allowing validated systems to connect to the malicious AP and enabling the
attacker to monitor and record network traffic. These malicious APs can also
serve to create a man-in-the-middle attack or be used to create a denial of
service to valid network resources. |
NetworkManager DNS Mode Must Be Must Configuredxccdf_org.ssgproject.content_rule_networkmanager_dns_mode mediumCCE-86805-9
NetworkManager DNS Mode Must Be Must Configured
| Rule ID | xccdf_org.ssgproject.content_rule_networkmanager_dns_mode |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-networkmanager_dns_mode:def:1 |
| Time | 2025-09-21T20:24:40-05:00 |
| Severity | medium |
| Identifiers: | CCE-86805-9 |
| References: | |
| Description | The DNS processing mode in NetworkManager describes how DNS is processed on the system. Depending the mode some changes the system's DNS may not be respected. |
| Rationale | To ensure that DNS resolver settings are respected, a DNS mode in NetworkManager must be configured. |
|
|
OVAL test results detailstests the value of dns setting in the /etc/NetworkManager/NetworkManager.conf file
oval:ssg-test_networkmanager_dns_mode:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_networkmanager_dns_mode:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/NetworkManager/NetworkManager.conf | ^\s*\[main\].*(?:\n\s*[^[\s].*)*\n^[ \t]*dns=(.+?)[ \t]*(?:$|#) | 1 |
tests the value of dns setting in the /etc/NetworkManager/conf.d file
oval:ssg-test_networkmanager_dns_mode_config_dir:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_networkmanager_dns_mode_config_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/NetworkManager/conf.d | .*\.conf$ | ^\s*\[main\].*(?:\n\s*[^[\s].*)*\n^[ \t]*dns=(.+?)[ \t]*(?:$|#) | 1 |
The configuration file /etc/NetworkManager/NetworkManager.conf exists for networkmanager_dns_mode
oval:ssg-test_networkmanager_dns_mode_config_file_exists:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|
| not evaluated | /etc/NetworkManager/NetworkManager.conf | regular | 0 | 0 | 2263 | rw-r--r-- |
Configure Multiple DNS Servers in /etc/resolv.confxccdf_org.ssgproject.content_rule_network_configure_name_resolution mediumCCE-86858-8
Configure Multiple DNS Servers in /etc/resolv.conf
| Rule ID | xccdf_org.ssgproject.content_rule_network_configure_name_resolution |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-network_configure_name_resolution:def:1 |
| Time | 2025-09-21T20:24:37-05:00 |
| Severity | medium |
| Identifiers: | CCE-86858-8 |
| References: | | cis-csc | 12, 15, 8 | | cobit5 | APO13.01, DSS05.02 | | isa-62443-2013 | SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | | iso27001-2013 | A.13.1.1, A.13.2.1, A.14.1.3 | | nist | SC-20(a), CM-6(a) | | nist-csf | PR.PT-4 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-252035 | | stigref | SV-257948r1045004_rule |
|
| Description |
Determine whether the system is using local or DNS name resolution with the
following command:
$ sudo grep hosts /etc/nsswitch.conf
hosts: files dns
If the DNS entry is missing from the host's line in the "/etc/nsswitch.conf"
file, the "/etc/resolv.conf" file must be empty.
Verify the "/etc/resolv.conf" file is empty with the following command:
$ sudo ls -al /etc/resolv.conf
-rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf
If the DNS entry is found on the host's line of the "/etc/nsswitch.conf" file,
then verify the following:
Multiple Domain Name System (DNS) Servers should be configured
in /etc/resolv.conf. This provides redundant name resolution services
in the event that a domain server crashes. To configure the system to contain
as least 2 DNS servers, add a corresponding nameserver
ip_address
entry in /etc/resolv.conf for each DNS
server where ip_address is the IP address of a valid DNS server.
For example:
search example.com
nameserver 192.168.0.1
nameserver 192.168.0.2
|
| Rationale | To provide availability for name resolution services, multiple redundant
name servers are mandated. A failure in name resolution could lead to the
failure of security functions requiring name resolution, which may include
time synchronization, centralized authentication, and remote system logging. |
| Warnings | warning
This rule doesn't come with a remediation, the IP addresses of local authoritative name servers need to be added by the administrator. |
OVAL test results detailscheck if dns is set in host line in /etc/nsswitch.conf
oval:ssg-test_host_line_dns_parameter_nsswitch:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/nsswitch.conf | hosts: files dns myhostname |
check if more than one nameserver in /etc/resolv.conf
oval:ssg-test_network_configure_name_resolution:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_network_configure_name_resolution:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/resolv.conf | ^[\s]*nameserver[\s]+([0-9\.]+)$ | 1 |
check if dns is set in host line in /etc/nsswitch.conf
oval:ssg-test_host_line_dns_parameter_nsswitch:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/nsswitch.conf | hosts: files dns myhostname |
check if /etc/resolv.conf is empty
oval:ssg-test_file_empty_resolv:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|
| false | /etc/resolv.conf | regular | 0 | 0 | 109 | rw-r--r-- |
Ensure System is Not Acting as a Network Snifferxccdf_org.ssgproject.content_rule_network_sniffer_disabled mediumCCE-83996-9
Ensure System is Not Acting as a Network Sniffer
| Rule ID | xccdf_org.ssgproject.content_rule_network_sniffer_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-network_sniffer_disabled:def:1 |
| Time | 2025-09-21T20:24:37-05:00 |
| Severity | medium |
| Identifiers: | CCE-83996-9 |
| References: | | cis-csc | 1, 11, 14, 3, 9 | | cobit5 | APO11.06, APO12.06, BAI03.10, BAI09.01, BAI09.02, BAI09.03, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.05, DSS04.05, DSS05.02, DSS05.05, DSS06.06 | | isa-62443-2009 | 4.2.3.4, 4.3.3.3.7, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, SR 7.8 | | iso27001-2013 | A.11.1.2, A.11.2.4, A.11.2.5, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.16.1.6, A.8.1.1, A.8.1.2, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a), CM-7(2), MA-3 | | nist-csf | DE.DP-5, ID.AM-1, PR.IP-1, PR.MA-1, PR.PT-3 | | os-srg | SRG-OS-000480-GPOS-00227 | | pcidss4 | 1.4.5, 1.4 | | stigid | RHEL-09-251040 | | stigref | SV-257941r991589_rule |
|
| Description | The system should not be acting as a network sniffer, which can
capture all traffic on the network to which it is connected. Run the following
to determine if any interface is running in promiscuous mode:
$ ip link | grep PROMISC
Promiscuous mode of an interface can be disabled with the following command:
$ sudo ip link set dev device_name multicast off promisc off
|
| Rationale | Network interfaces in promiscuous mode allow for the capture of all network traffic
visible to the system. If unauthorized individuals can access these applications, it
may allow them to collect information such as logon IDs, passwords, and key exchanges
between systems.
If the system is being used to perform a network troubleshooting function, the use of these
tools must be documented with the Information Systems Security Manager (ISSM) and restricted
to only authorized personnel. |
OVAL test results detailscheck all network interfaces for PROMISC flag
oval:ssg-test_promisc_interfaces:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_promisc_interfaces:obj:1 of type
interface_object
| Name | Filter |
|---|
| ^.*$ | oval:ssg-state_promisc:ste:1 |
Verify Group Who Owns Backup group Filexccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group mediumCCE-83928-2
Verify Group Who Owns Backup group File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_backup_etc_group:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83928-2 |
| References: | |
| Description | To properly set the group owner of /etc/group-, run the command:
$ sudo chgrp root /etc/group-
|
| Rationale | The /etc/group- file is a backup file of /etc/group, and as such,
it contains information regarding groups that are configured on the system.
Protection of this file is important for system security. |
OVAL test results detailsTesting group ownership of /etc/group-
oval:ssg-test_file_groupowner_backup_etc_group_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_backup_etc_group_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/group- | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupowner_backup_etc_group_0_0:ste:1 |
Verify Group Who Owns Backup gshadow Filexccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow mediumCCE-83951-4
Verify Group Who Owns Backup gshadow File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_backup_etc_gshadow:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83951-4 |
| References: | |
| Description | To properly set the group owner of /etc/gshadow-, run the command:
$ sudo chgrp root /etc/gshadow-
|
| Rationale | The /etc/gshadow- file is a backup of /etc/gshadow, and as such,
it contains group password hashes. Protection of this file is critical for system security. |
OVAL test results detailsTesting group ownership of /etc/gshadow-
oval:ssg-test_file_groupowner_backup_etc_gshadow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_backup_etc_gshadow_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/gshadow- | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupowner_backup_etc_gshadow_0_0:ste:1 |
Verify Group Who Owns Backup passwd Filexccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd mediumCCE-83933-2
Verify Group Who Owns Backup passwd File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_backup_etc_passwd:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83933-2 |
| References: | |
| Description | To properly set the group owner of /etc/passwd-, run the command:
$ sudo chgrp root /etc/passwd-
|
| Rationale | The /etc/passwd- file is a backup file of /etc/passwd, and as such,
it contains information about the users that are configured on the system.
Protection of this file is critical for system security. |
OVAL test results detailsTesting group ownership of /etc/passwd-
oval:ssg-test_file_groupowner_backup_etc_passwd_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_backup_etc_passwd_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/passwd- | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupowner_backup_etc_passwd_0_0:ste:1 |
Verify User Who Owns Backup shadow Filexccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_shadow mediumCCE-83938-1
Verify User Who Owns Backup shadow File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_shadow |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_backup_etc_shadow:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83938-1 |
| References: | |
| Description | To properly set the group owner of /etc/shadow-, run the command:
$ sudo chgrp root /etc/shadow-
|
| Rationale | The /etc/shadow- file is a backup file of /etc/shadow, and as such,
it contains the list of local system accounts and password hashes.
Protection of this file is critical for system security. |
OVAL test results detailsTesting group ownership of /etc/shadow-
oval:ssg-test_file_groupowner_backup_etc_shadow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_backup_etc_shadow_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/shadow- | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupowner_backup_etc_shadow_0_0:ste:1 |
Verify Group Who Owns group Filexccdf_org.ssgproject.content_rule_file_groupowner_etc_group mediumCCE-83945-6
Verify Group Who Owns group File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_etc_group:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83945-6 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cjis | 5.5.2.2 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | pcidss | Req-8.7.c | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R50 | | cis | 7.1.3 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232095 | | stigref | SV-257899r991589_rule |
|
| Description | To properly set the group owner of /etc/group, run the command:
$ sudo chgrp root /etc/group
|
| Rationale | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. |
OVAL test results detailsTesting group ownership of /etc/group
oval:ssg-test_file_groupowner_etc_group_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etc_group_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/group | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupowner_etc_group_0_0:ste:1 |
Verify Group Who Owns gshadow Filexccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow mediumCCE-83948-0
Verify Group Who Owns gshadow File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_etc_gshadow:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83948-0 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R50 | | cis | 7.1.7 | | stigid | RHEL-09-232115 | | stigref | SV-257903r991589_rule |
|
| Description | To properly set the group owner of /etc/gshadow, run the command:
$ sudo chgrp root /etc/gshadow
|
| Rationale | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. |
OVAL test results detailsTesting group ownership of /etc/gshadow
oval:ssg-test_file_groupowner_etc_gshadow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etc_gshadow_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/gshadow | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupowner_etc_gshadow_0_0:ste:1 |
Verify Group Who Owns passwd Filexccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd mediumCCE-83950-6
Verify Group Who Owns passwd File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_etc_passwd:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83950-6 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cjis | 5.5.2.2 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | pcidss | Req-8.7.c | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R50 | | cis | 7.1.1 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232135 | | stigref | SV-257907r991589_rule |
|
| Description | To properly set the group owner of /etc/passwd, run the command:
$ sudo chgrp root /etc/passwd
|
| Rationale | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. |
OVAL test results detailsTesting group ownership of /etc/passwd
oval:ssg-test_file_groupowner_etc_passwd_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etc_passwd_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/passwd | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupowner_etc_passwd_0_0:ste:1 |
Verify Group Who Owns shadow Filexccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow mediumCCE-83930-8
Verify Group Who Owns shadow File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_etc_shadow:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83930-8 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cjis | 5.5.2.2 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | pcidss | Req-8.7.c | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R50 | | cis | 7.1.5 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232155 | | stigref | SV-257911r991589_rule |
|
| Description | To properly set the group owner of /etc/shadow, run the command:
$ sudo chgrp root /etc/shadow
|
| Rationale | The /etc/shadow file stores password hashes. Protection of this file is
critical for system security. |
OVAL test results detailsTesting group ownership of /etc/shadow
oval:ssg-test_file_groupowner_etc_shadow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etc_shadow_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/shadow | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupowner_etc_shadow_0_0:ste:1 |
Verify User Who Owns Backup group Filexccdf_org.ssgproject.content_rule_file_owner_backup_etc_group mediumCCE-83944-9
Verify User Who Owns Backup group File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_backup_etc_group:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83944-9 |
| References: | |
| Description | To properly set the owner of /etc/group-, run the command:
$ sudo chown root /etc/group-
|
| Rationale | The /etc/group- file is a backup file of /etc/group, and as such,
it contains information regarding groups that are configured on the system.
Protection of this file is important for system security. |
OVAL test results detailsTesting user ownership of /etc/group-
oval:ssg-test_file_owner_backup_etc_group_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_backup_etc_group_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/group- | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_owner_backup_etc_group_0_0:ste:1 |
Verify User Who Owns Backup gshadow Filexccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow mediumCCE-83929-0
Verify User Who Owns Backup gshadow File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_backup_etc_gshadow:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83929-0 |
| References: | |
| Description | To properly set the owner of /etc/gshadow-, run the command:
$ sudo chown root /etc/gshadow-
|
| Rationale | The /etc/gshadow- file is a backup of /etc/gshadow, and as such,
it contains group password hashes. Protection of this file is critical for system security. |
OVAL test results detailsTesting user ownership of /etc/gshadow-
oval:ssg-test_file_owner_backup_etc_gshadow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_backup_etc_gshadow_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/gshadow- | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_owner_backup_etc_gshadow_0_0:ste:1 |
Verify User Who Owns Backup passwd Filexccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd mediumCCE-83947-2
Verify User Who Owns Backup passwd File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_backup_etc_passwd:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83947-2 |
| References: | |
| Description | To properly set the owner of /etc/passwd-, run the command:
$ sudo chown root /etc/passwd-
|
| Rationale | The /etc/passwd- file is a backup file of /etc/passwd, and as such,
it contains information about the users that are configured on the system.
Protection of this file is critical for system security. |
OVAL test results detailsTesting user ownership of /etc/passwd-
oval:ssg-test_file_owner_backup_etc_passwd_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_backup_etc_passwd_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/passwd- | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_owner_backup_etc_passwd_0_0:ste:1 |
Verify Group Who Owns Backup shadow Filexccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow mediumCCE-83949-8
Verify Group Who Owns Backup shadow File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_backup_etc_shadow:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83949-8 |
| References: | |
| Description | To properly set the owner of /etc/shadow-, run the command:
$ sudo chown root /etc/shadow-
|
| Rationale | The /etc/shadow- file is a backup file of /etc/shadow, and as such,
it contains the list of local system accounts and password hashes.
Protection of this file is critical for system security. |
OVAL test results detailsTesting user ownership of /etc/shadow-
oval:ssg-test_file_owner_backup_etc_shadow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_backup_etc_shadow_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/shadow- | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_owner_backup_etc_shadow_0_0:ste:1 |
Verify User Who Owns group Filexccdf_org.ssgproject.content_rule_file_owner_etc_group mediumCCE-83925-8
Verify User Who Owns group File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_group |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_etc_group:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83925-8 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cjis | 5.5.2.2 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | pcidss | Req-8.7.c | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R50 | | cis | 7.1.3 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232090 | | stigref | SV-257898r991589_rule |
|
| Description | To properly set the owner of /etc/group, run the command:
$ sudo chown root /etc/group
|
| Rationale | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. |
OVAL test results detailsTesting user ownership of /etc/group
oval:ssg-test_file_owner_etc_group_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etc_group_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/group | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_owner_etc_group_0_0:ste:1 |
Verify User Who Owns gshadow Filexccdf_org.ssgproject.content_rule_file_owner_etc_gshadow mediumCCE-83924-1
Verify User Who Owns gshadow File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_etc_gshadow:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83924-1 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R50 | | cis | 7.1.7 | | stigid | RHEL-09-232110 | | stigref | SV-257902r991589_rule |
|
| Description | To properly set the owner of /etc/gshadow, run the command:
$ sudo chown root /etc/gshadow
|
| Rationale | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. |
OVAL test results detailsTesting user ownership of /etc/gshadow
oval:ssg-test_file_owner_etc_gshadow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etc_gshadow_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/gshadow | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_owner_etc_gshadow_0_0:ste:1 |
Verify User Who Owns passwd Filexccdf_org.ssgproject.content_rule_file_owner_etc_passwd mediumCCE-83943-1
Verify User Who Owns passwd File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_passwd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_etc_passwd:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83943-1 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cjis | 5.5.2.2 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | pcidss | Req-8.7.c | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R50 | | cis | 7.1.1 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232130 | | stigref | SV-257906r991589_rule |
|
| Description | To properly set the owner of /etc/passwd, run the command:
$ sudo chown root /etc/passwd
|
| Rationale | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. |
OVAL test results detailsTesting user ownership of /etc/passwd
oval:ssg-test_file_owner_etc_passwd_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etc_passwd_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/passwd | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_owner_etc_passwd_0_0:ste:1 |
Verify User Who Owns shadow Filexccdf_org.ssgproject.content_rule_file_owner_etc_shadow mediumCCE-83926-6
Verify User Who Owns shadow File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_shadow |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_etc_shadow:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83926-6 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cjis | 5.5.2.2 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | pcidss | Req-8.7.c | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R50 | | cis | 7.1.5 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232150 | | stigref | SV-257910r991589_rule |
|
| Description | To properly set the owner of /etc/shadow, run the command:
$ sudo chown root /etc/shadow
|
| Rationale | The /etc/shadow file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture. |
OVAL test results detailsTesting user ownership of /etc/shadow
oval:ssg-test_file_owner_etc_shadow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etc_shadow_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/shadow | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_owner_etc_shadow_0_0:ste:1 |
Verify Permissions on Backup group Filexccdf_org.ssgproject.content_rule_file_permissions_backup_etc_group mediumCCE-83939-9
Verify Permissions on Backup group File
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_group |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_backup_etc_group:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83939-9 |
| References: | |
| Description |
To properly set the permissions of /etc/group-, run the command:
$ sudo chmod 0644 /etc/group-
|
| Rationale | The /etc/group- file is a backup file of /etc/group, and as such,
it contains information regarding groups that are configured on the system.
Protection of this file is important for system security. |
OVAL test results detailsTesting mode of /etc/group-
oval:ssg-test_file_permissions_backup_etc_group_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_backup_etc_group_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/group- | oval:ssg-exclude_symlinks__backup_etc_group:ste:1 | oval:ssg-state_file_permissions_backup_etc_group_0_mode_0644or_stricter_:ste:1 |
Verify Permissions on Backup gshadow Filexccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow mediumCCE-83942-3
Verify Permissions on Backup gshadow File
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_backup_etc_gshadow:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83942-3 |
| References: | |
| Description |
To properly set the permissions of /etc/gshadow-, run the command:
$ sudo chmod 0000 /etc/gshadow-
|
| Rationale | The /etc/gshadow- file is a backup of /etc/gshadow, and as such,
it contains group password hashes. Protection of this file is critical for system security. |
OVAL test results detailsTesting mode of /etc/gshadow-
oval:ssg-test_file_permissions_backup_etc_gshadow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_backup_etc_gshadow_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/gshadow- | oval:ssg-exclude_symlinks__backup_etc_gshadow:ste:1 | oval:ssg-state_file_permissions_backup_etc_gshadow_0_mode_0000or_stricter_:ste:1 |
Verify Permissions on Backup passwd Filexccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd mediumCCE-83940-7
Verify Permissions on Backup passwd File
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_backup_etc_passwd:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83940-7 |
| References: | |
| Description |
To properly set the permissions of /etc/passwd-, run the command:
$ sudo chmod 0644 /etc/passwd-
|
| Rationale | The /etc/passwd- file is a backup file of /etc/passwd, and as such,
it contains information about the users that are configured on the system.
Protection of this file is critical for system security. |
OVAL test results detailsTesting mode of /etc/passwd-
oval:ssg-test_file_permissions_backup_etc_passwd_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_backup_etc_passwd_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/passwd- | oval:ssg-exclude_symlinks__backup_etc_passwd:ste:1 | oval:ssg-state_file_permissions_backup_etc_passwd_0_mode_0644or_stricter_:ste:1 |
Verify Permissions on Backup shadow Filexccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow mediumCCE-83935-7
Verify Permissions on Backup shadow File
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_backup_etc_shadow:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83935-7 |
| References: | |
| Description |
To properly set the permissions of /etc/shadow-, run the command:
$ sudo chmod 0000 /etc/shadow-
|
| Rationale | The /etc/shadow- file is a backup file of /etc/shadow, and as such,
it contains the list of local system accounts and password hashes.
Protection of this file is critical for system security. |
OVAL test results detailsTesting mode of /etc/shadow-
oval:ssg-test_file_permissions_backup_etc_shadow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_backup_etc_shadow_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/shadow- | oval:ssg-exclude_symlinks__backup_etc_shadow:ste:1 | oval:ssg-state_file_permissions_backup_etc_shadow_0_mode_0000or_stricter_:ste:1 |
Verify Permissions on group Filexccdf_org.ssgproject.content_rule_file_permissions_etc_group mediumCCE-83934-0
Verify Permissions on group File
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_etc_group |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_etc_group:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83934-0 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cjis | 5.5.2.2 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | pcidss | Req-8.7.c | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R50 | | cis | 7.1.3 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232055 | | stigref | SV-257891r991589_rule |
|
| Description |
To properly set the permissions of /etc/group, run the command:
$ sudo chmod 0644 /etc/group
|
| Rationale | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. |
OVAL test results detailsTesting mode of /etc/group
oval:ssg-test_file_permissions_etc_group_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_etc_group_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/group | oval:ssg-exclude_symlinks__etc_group:ste:1 | oval:ssg-state_file_permissions_etc_group_0_mode_0644or_stricter_:ste:1 |
Verify Permissions on gshadow Filexccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow mediumCCE-83921-7
Verify Permissions on gshadow File
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_etc_gshadow:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83921-7 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R50 | | cis | 7.1.7 | | stigid | RHEL-09-232065 | | stigref | SV-257893r991589_rule |
|
| Description |
To properly set the permissions of /etc/gshadow, run the command:
$ sudo chmod 0000 /etc/gshadow
|
| Rationale | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. |
OVAL test results detailsTesting mode of /etc/gshadow
oval:ssg-test_file_permissions_etc_gshadow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_etc_gshadow_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/gshadow | oval:ssg-exclude_symlinks__etc_gshadow:ste:1 | oval:ssg-state_file_permissions_etc_gshadow_0_mode_0000or_stricter_:ste:1 |
Verify Permissions on passwd Filexccdf_org.ssgproject.content_rule_file_permissions_etc_passwd mediumCCE-83931-6
Verify Permissions on passwd File
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_etc_passwd:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83931-6 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cjis | 5.5.2.2 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | pcidss | Req-8.7.c | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R50 | | cis | 7.1.1 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232075 | | stigref | SV-257895r991589_rule |
|
| Description |
To properly set the permissions of /etc/passwd, run the command:
$ sudo chmod 0644 /etc/passwd
|
| Rationale | If the /etc/passwd file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the list of
accounts on the system and associated information, and protection of this file
is critical for system security. |
OVAL test results detailsTesting mode of /etc/passwd
oval:ssg-test_file_permissions_etc_passwd_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_etc_passwd_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/passwd | oval:ssg-exclude_symlinks__etc_passwd:ste:1 | oval:ssg-state_file_permissions_etc_passwd_0_mode_0644or_stricter_:ste:1 |
Verify Permissions on shadow Filexccdf_org.ssgproject.content_rule_file_permissions_etc_shadow mediumCCE-83941-5
Verify Permissions on shadow File
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_etc_shadow:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83941-5 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cjis | 5.5.2.2 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | pcidss | Req-8.7.c | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R50 | | cis | 7.1.5 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232270 | | stigref | SV-257934r991589_rule |
|
| Description |
To properly set the permissions of /etc/shadow, run the command:
$ sudo chmod 0000 /etc/shadow
|
| Rationale | The /etc/shadow file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture. |
OVAL test results detailsTesting mode of /etc/shadow
oval:ssg-test_file_permissions_etc_shadow_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_etc_shadow_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/shadow | oval:ssg-exclude_symlinks__etc_shadow:ste:1 | oval:ssg-state_file_permissions_etc_shadow_0_mode_0000or_stricter_:ste:1 |
Verify Group Who Owns /var/log Directoryxccdf_org.ssgproject.content_rule_file_groupowner_var_log mediumCCE-83912-6
Verify Group Who Owns /var/log Directory
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_var_log |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_var_log:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83912-6 |
| References: | |
| Description | To properly set the group owner of /var/log, run the command:
$ sudo chgrp root /var/log
|
| Rationale | The /var/log directory contains files with logs of error
messages in the system and should only be accessed by authorized
personnel. |
OVAL test results detailsTesting group ownership of /var/log/
oval:ssg-test_file_groupowner_var_log_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_var_log_0:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| /var/log | no value | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupowner_var_log_0_0:ste:1 |
Verify Group Who Owns /var/log/messages Filexccdf_org.ssgproject.content_rule_file_groupowner_var_log_messages mediumCCE-83916-7
Verify Group Who Owns /var/log/messages File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_var_log_messages |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_var_log_messages:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83916-7 |
| References: | |
| Description | To properly set the group owner of /var/log/messages, run the command:
$ sudo chgrp root /var/log/messages
|
| Rationale | The /var/log/messages file contains logs of error messages in
the system and should only be accessed by authorized personnel. |
OVAL test results detailsTesting group ownership of /var/log/messages
oval:ssg-test_file_groupowner_var_log_messages_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_var_log_messages_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /var/log/messages | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupowner_var_log_messages_0_0:ste:1 |
Verify User Who Owns /var/log Directoryxccdf_org.ssgproject.content_rule_file_owner_var_log mediumCCE-83914-2
Verify User Who Owns /var/log Directory
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_var_log |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_var_log:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83914-2 |
| References: | |
| Description | To properly set the owner of /var/log, run the command:
$ sudo chown root /var/log
|
| Rationale | The /var/log directory contains files with logs of error
messages in the system and should only be accessed by authorized
personnel. |
OVAL test results detailsTesting user ownership of /var/log/
oval:ssg-test_file_owner_var_log_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_var_log_0:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| /var/log | no value | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_owner_var_log_0_0:ste:1 |
Verify User Who Owns /var/log/messages Filexccdf_org.ssgproject.content_rule_file_owner_var_log_messages mediumCCE-83915-9
Verify User Who Owns /var/log/messages File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_var_log_messages |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_var_log_messages:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83915-9 |
| References: | |
| Description | To properly set the owner of /var/log/messages, run the command:
$ sudo chown root /var/log/messages
|
| Rationale | The /var/log/messages file contains logs of error messages in
the system and should only be accessed by authorized personnel. |
OVAL test results detailsTesting user ownership of /var/log/messages
oval:ssg-test_file_owner_var_log_messages_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_var_log_messages_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /var/log/messages | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_owner_var_log_messages_0_0:ste:1 |
Verify Permissions on /var/log Directoryxccdf_org.ssgproject.content_rule_file_permissions_var_log mediumCCE-83917-5
Verify Permissions on /var/log Directory
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_var_log |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_var_log:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83917-5 |
| References: | |
| Description |
To properly set the permissions of /var/log, run the command:
$ sudo chmod 0755 /var/log
|
| Rationale | The /var/log directory contains files with logs of error
messages in the system and should only be accessed by authorized
personnel. |
OVAL test results detailsTesting mode of /var/log/
oval:ssg-test_file_permissions_var_log_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_var_log_0:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| /var/log | no value | oval:ssg-exclude_symlinks__var_log:ste:1 | oval:ssg-state_file_permissions_var_log_0_mode_0755or_stricter_:ste:1 |
Verify Permissions on /var/log/messages Filexccdf_org.ssgproject.content_rule_file_permissions_var_log_messages mediumCCE-83913-4
Verify Permissions on /var/log/messages File
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_var_log_messages:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83913-4 |
| References: | |
| Description |
To properly set the permissions of /var/log/messages, run the command:
$ sudo chmod 0600 /var/log/messages
|
| Rationale | The /var/log/messages file contains logs of error messages in
the system and should only be accessed by authorized personnel. |
OVAL test results detailsTesting mode of /var/log/messages
oval:ssg-test_file_permissions_var_log_messages_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_var_log_messages_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /var/log/messages | oval:ssg-exclude_symlinks__var_log_messages:ste:1 | oval:ssg-state_file_permissions_var_log_messages_0_mode_0600or_stricter_:ste:1 |
Verify that Shared Library Directories Have Root Group Ownershipxccdf_org.ssgproject.content_rule_dir_group_ownership_library_dirs mediumCCE-89858-5
Verify that Shared Library Directories Have Root Group Ownership
| Rule ID | xccdf_org.ssgproject.content_rule_dir_group_ownership_library_dirs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dir_group_ownership_library_dirs:def:1 |
| Time | 2025-09-21T20:26:39-05:00 |
| Severity | medium |
| Identifiers: | CCE-89858-5 |
| References: | |
| Description | System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also
stored in /lib/modules. All files in these directories should be
group-owned by the root user. If the directories, is found to be owned
by a user other than root correct its
ownership with the following command:
$ sudo chgrp root DIR
|
| Rationale | Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Proper ownership of library directories is necessary to protect
the integrity of the system. |
OVAL test results detailsTesting group ownership of /lib/
oval:ssg-test_file_groupownerdir_group_ownership_library_dirs_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerdir_group_ownership_library_dirs_0:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|
| no value | /lib | no value | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_0_0:ste:1 |
Testing group ownership of /lib64/
oval:ssg-test_file_groupownerdir_group_ownership_library_dirs_1:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerdir_group_ownership_library_dirs_1:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|
| no value | /lib64 | no value | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_0_0:ste:1 |
Testing group ownership of /usr/lib/
oval:ssg-test_file_groupownerdir_group_ownership_library_dirs_2:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerdir_group_ownership_library_dirs_2:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|
| no value | /usr/lib | no value | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_0_0:ste:1 |
Testing group ownership of /usr/lib64/
oval:ssg-test_file_groupownerdir_group_ownership_library_dirs_3:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerdir_group_ownership_library_dirs_3:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|
| no value | /usr/lib64 | no value | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_0_0:ste:1 |
Verify that Shared Library Directories Have Root Ownershipxccdf_org.ssgproject.content_rule_dir_ownership_library_dirs mediumCCE-89022-8
Verify that Shared Library Directories Have Root Ownership
| Rule ID | xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dir_ownership_library_dirs:def:1 |
| Time | 2025-09-21T20:26:39-05:00 |
| Severity | medium |
| Identifiers: | CCE-89022-8 |
| References: | |
| Description | System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also
stored in /lib/modules. All files in these directories should be
owned by the root user. If the directories, is found to be owned
by a user other than root correct its
ownership with the following command:
$ sudo chown root DIR
|
| Rationale | Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Proper ownership of library directories is necessary to protect
the integrity of the system. |
OVAL test results detailsTesting user ownership of /lib/
oval:ssg-test_file_ownerdir_ownership_library_dirs_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerdir_ownership_library_dirs_0:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|
| no value | /lib | no value | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_ownerdir_ownership_library_dirs_0_0:ste:1 |
Testing user ownership of /lib64/
oval:ssg-test_file_ownerdir_ownership_library_dirs_1:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerdir_ownership_library_dirs_1:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|
| no value | /lib64 | no value | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_ownerdir_ownership_library_dirs_0_0:ste:1 |
Testing user ownership of /usr/lib/
oval:ssg-test_file_ownerdir_ownership_library_dirs_2:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerdir_ownership_library_dirs_2:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|
| no value | /usr/lib | no value | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_ownerdir_ownership_library_dirs_0_0:ste:1 |
Testing user ownership of /usr/lib64/
oval:ssg-test_file_ownerdir_ownership_library_dirs_3:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerdir_ownership_library_dirs_3:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|
| no value | /usr/lib64 | no value | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_ownerdir_ownership_library_dirs_0_0:ste:1 |
Verify that Shared Library Directories Have Restrictive Permissionsxccdf_org.ssgproject.content_rule_dir_permissions_library_dirs mediumCCE-88693-7
Verify that Shared Library Directories Have Restrictive Permissions
| Rule ID | xccdf_org.ssgproject.content_rule_dir_permissions_library_dirs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dir_permissions_library_dirs:def:1 |
| Time | 2025-09-21T20:26:40-05:00 |
| Severity | medium |
| Identifiers: | CCE-88693-7 |
| References: | |
| Description | System-wide shared library directories, which contain are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are
stored in /lib/modules. All sub-directories in these directories
should not be group-writable or world-writable. If any file in these
directories is found to be group-writable or world-writable, correct
its permission with the following command:
$ sudo chmod go-w DIR
|
| Rationale | If the operating system were to allow any user to make changes to software libraries,
then those changes might be implemented without undergoing the appropriate testing
and approvals that are part of a robust change management process.
This requirement applies to operating systems with software libraries that are accessible
and configurable, as in the case of interpreted languages. Software libraries also include
privileged programs which execute with escalated privileges. Only qualified and authorized
individuals must be allowed to obtain access to information system components for purposes
of initiating changes, including upgrades and modifications. |
OVAL test results detailsTesting mode of /lib/
oval:ssg-test_file_permissionsdir_permissions_library_dirs_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsdir_permissions_library_dirs_0:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|
| no value | /lib | no value | oval:ssg-exclude_symlinks_dir_permissions_library_dirs:ste:1 | oval:ssg-state_file_permissionsdir_permissions_library_dirs_0_mode_7755or_stricter_:ste:1 |
Testing mode of /lib64/
oval:ssg-test_file_permissionsdir_permissions_library_dirs_1:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsdir_permissions_library_dirs_1:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|
| no value | /lib64 | no value | oval:ssg-exclude_symlinks_dir_permissions_library_dirs:ste:1 | oval:ssg-state_file_permissionsdir_permissions_library_dirs_1_mode_7755or_stricter_:ste:1 |
Testing mode of /usr/lib/
oval:ssg-test_file_permissionsdir_permissions_library_dirs_2:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsdir_permissions_library_dirs_2:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|
| no value | /usr/lib | no value | oval:ssg-exclude_symlinks_dir_permissions_library_dirs:ste:1 | oval:ssg-state_file_permissionsdir_permissions_library_dirs_2_mode_7755or_stricter_:ste:1 |
Testing mode of /usr/lib64/
oval:ssg-test_file_permissionsdir_permissions_library_dirs_3:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsdir_permissions_library_dirs_3:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|
| no value | /usr/lib64 | no value | oval:ssg-exclude_symlinks_dir_permissions_library_dirs:ste:1 | oval:ssg-state_file_permissionsdir_permissions_library_dirs_3_mode_7755or_stricter_:ste:1 |
Verify that system commands files are group owned by root or a system accountxccdf_org.ssgproject.content_rule_file_groupownership_system_commands_dirs mediumCCE-89442-8
Verify that system commands files are group owned by root or a system account
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupownership_system_commands_dirs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupownership_system_commands_dirs:def:1 |
| Time | 2025-09-21T20:26:40-05:00 |
| Severity | medium |
| Identifiers: | CCE-89442-8 |
| References: | |
| Description | System commands files are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin
All files in these directories should be owned by the root group,
or a system account.
If the directory, or any file in these directories, is found to be owned
by a group other than root or a a system account correct its ownership
with the following command:
$ sudo chgrp root FILE
|
| Rationale | If the operating system allows any user to make changes to software
libraries, then those changes might be implemented without undergoing the
appropriate testing and approvals that are part of a robust change management
process.
This requirement applies to operating systems with software libraries
that are accessible and configurable, as in the case of interpreted languages.
Software libraries also include privileged programs which execute with
escalated privileges. Only qualified and authorized individuals must be
allowed to obtain access to information system components for purposes
of initiating changes, including upgrades and modifications. |
OVAL test results detailssystem commands are owned by root or a system account
oval:ssg-test_groupownership_system_commands_dirs:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_groupownership_system_commands_dirs:obj:1 of type
file_object
| Path | Filename | Filter |
|---|
| ^\/s?bin|^\/usr\/s?bin|^\/usr\/local\/s?bin | ^.*$ | oval:ssg-state_groupowner_system_commands_dirs_not_root_or_system_account:ste:1 |
Verify that System Executables Have Root Ownershipxccdf_org.ssgproject.content_rule_file_ownership_binary_dirs mediumCCE-83908-4
Verify that System Executables Have Root Ownership
| Rule ID | xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_ownership_binary_dirs:def:1 |
| Time | 2025-09-21T20:26:40-05:00 |
| Severity | medium |
| Identifiers: | CCE-83908-4 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-5(6), CM-5(6).1, CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000259-GPOS-00100 | | anssi | R50 | | stigid | RHEL-09-232190 | | stigref | SV-257918r1044977_rule |
|
| Description | System executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should be owned by the root user.
If any file FILE in these directories is found
to be owned by a user other than root, correct its ownership with the
following command:
$ sudo chown root FILE
|
| Rationale | System binaries are executed by privileged users as well as system services,
and restrictive permissions are necessary to ensure that their
execution of these programs cannot be co-opted. |
OVAL test results detailsbinary directories uid root
oval:ssg-test_ownership_binary_directories:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_binary_directories:obj:1 of type
file_object
| Path | Filename | Filter |
|---|
| ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec | no value | oval:ssg-state_owner_binaries_not_root:ste:1 |
binary files uid root
oval:ssg-test_ownership_binary_files:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_binary_files:obj:1 of type
file_object
| Path | Filename | Filter |
|---|
| ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec | ^.*$ | oval:ssg-state_owner_binaries_not_root:ste:1 |
Verify that Shared Library Files Have Root Ownershipxccdf_org.ssgproject.content_rule_file_ownership_library_dirs mediumCCE-83907-6
Verify that Shared Library Files Have Root Ownership
| Rule ID | xccdf_org.ssgproject.content_rule_file_ownership_library_dirs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_ownership_library_dirs:def:1 |
| Time | 2025-09-21T20:26:43-05:00 |
| Severity | medium |
| Identifiers: | CCE-83907-6 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-5(6), CM-5(6).1, CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000259-GPOS-00100 | | stigid | RHEL-09-232200 | | stigref | SV-257920r1069385_rule |
|
| Description | System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also
stored in /lib/modules. All files in these directories should be
owned by the root user. If the directory, or any file in these
directories, is found to be owned by a user other than root correct its
ownership with the following command:
$ sudo chown root FILE
|
| Rationale | Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Proper ownership is necessary to protect the integrity of the system. |
OVAL test results detailsTesting user ownership of /lib/
oval:ssg-test_file_ownership_library_dirs_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_library_dirs_0:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|
| no value | /lib | ^.*$ | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_ownership_library_dirs_0_0:ste:1 |
Testing user ownership of /lib64/
oval:ssg-test_file_ownership_library_dirs_1:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_library_dirs_1:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|
| no value | /lib64 | ^.*$ | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_ownership_library_dirs_0_0:ste:1 |
Testing user ownership of /usr/lib/
oval:ssg-test_file_ownership_library_dirs_2:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_library_dirs_2:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|
| no value | /usr/lib | ^.*$ | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_ownership_library_dirs_0_0:ste:1 |
Testing user ownership of /usr/lib64/
oval:ssg-test_file_ownership_library_dirs_3:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_library_dirs_3:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|
| no value | /usr/lib64 | ^.*$ | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_ownership_library_dirs_0_0:ste:1 |
Verify that System Executables Have Restrictive Permissionsxccdf_org.ssgproject.content_rule_file_permissions_binary_dirs mediumCCE-83911-8
Verify that System Executables Have Restrictive Permissions
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_binary_dirs:def:1 |
| Time | 2025-09-21T20:26:43-05:00 |
| Severity | medium |
| Identifiers: | CCE-83911-8 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-5(6), CM-5(6).1, CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000259-GPOS-00100 | | anssi | R50 | | stigid | RHEL-09-232010 | | stigref | SV-257882r991560_rule |
|
| Description | System executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should not be group-writable or world-writable.
If any file FILE in these directories is found
to be group-writable or world-writable, correct its permission with the
following command:
$ sudo chmod go-w FILE
|
| Rationale | System binaries are executed by privileged users, as well as system services,
and restrictive permissions are necessary to ensure execution of these programs
cannot be co-opted. |
OVAL test results detailsbinary files go-w
oval:ssg-test_perms_binary_files:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_binary_files:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec | ^.*$ | oval:ssg-state_perms_binary_files_nogroupwrite_noworldwrite:ste:1 | oval:ssg-state_perms_binary_files_symlink:ste:1 |
Verify that Shared Library Files Have Restrictive Permissionsxccdf_org.ssgproject.content_rule_file_permissions_library_dirs mediumCCE-83909-2
Verify that Shared Library Files Have Restrictive Permissions
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_library_dirs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_library_dirs:def:1 |
| Time | 2025-09-21T20:26:46-05:00 |
| Severity | medium |
| Identifiers: | CCE-83909-2 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-6(a), CM-5(6), CM-5(6).1, AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000259-GPOS-00100 | | stigid | RHEL-09-232020 | | stigref | SV-257884r991560_rule |
|
| Description | System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are
stored in /lib/modules. All files in these directories
should not be group-writable or world-writable. If any file in these
directories is found to be group-writable or world-writable, correct
its permission with the following command:
$ sudo chmod go-w FILE
|
| Rationale | Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Restrictive permissions are necessary to protect the integrity of the system. |
OVAL test results detailsTesting mode of /lib/
oval:ssg-test_file_permissions_library_dirs_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_library_dirs_0:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|
| no value | /lib | ^.*$ | oval:ssg-exclude_symlinks__library_dirs:ste:1 | oval:ssg-state_file_permissions_library_dirs_0_mode_7755or_stricter_:ste:1 |
Testing mode of /lib64/
oval:ssg-test_file_permissions_library_dirs_1:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_library_dirs_1:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|
| no value | /lib64 | ^.*$ | oval:ssg-exclude_symlinks__library_dirs:ste:1 | oval:ssg-state_file_permissions_library_dirs_1_mode_7755or_stricter_:ste:1 |
Testing mode of /usr/lib/
oval:ssg-test_file_permissions_library_dirs_2:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_library_dirs_2:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|
| no value | /usr/lib | ^.*$ | oval:ssg-exclude_symlinks__library_dirs:ste:1 | oval:ssg-state_file_permissions_library_dirs_2_mode_7755or_stricter_:ste:1 |
Testing mode of /usr/lib64/
oval:ssg-test_file_permissions_library_dirs_3:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_library_dirs_3:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|
| no value | /usr/lib64 | ^.*$ | oval:ssg-exclude_symlinks__library_dirs:ste:1 | oval:ssg-state_file_permissions_library_dirs_3_mode_7755or_stricter_:ste:1 |
Verify the system-wide library files in directories
"/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.xccdf_org.ssgproject.content_rule_root_permissions_syslibrary_files mediumCCE-87108-7
Verify the system-wide library files in directories
"/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.
| Rule ID | xccdf_org.ssgproject.content_rule_root_permissions_syslibrary_files |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-root_permissions_syslibrary_files:def:1 |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-87108-7 |
| References: | |
| Description | System-wide library files are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64
All system-wide shared library files should be protected from unauthorised
access. If any of these files is not group-owned by root, correct its group-owner with
the following command:
$ sudo chgrp root FILE
|
| Rationale | If the operating system were to allow any user to make changes to software libraries,
then those changes might be implemented without undergoing the appropriate testing and
approvals that are part of a robust change management process.
This requirement applies to operating systems with software libraries that are
accessible and configurable, as in the case of interpreted languages. Software libraries
also include privileged programs which execute with escalated privileges. Only qualified
and authorized individuals must be allowed to obtain access to information system components
for purposes of initiating changes, including upgrades and modifications. |
OVAL test results detailsTesting group ownership of /lib/
oval:ssg-test_file_groupownerroot_permissions_syslibrary_files_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerroot_permissions_syslibrary_files_0:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|
| no value | /lib | ^.*$ | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupownerroot_permissions_syslibrary_files_0_0:ste:1 |
Testing group ownership of /lib64/
oval:ssg-test_file_groupownerroot_permissions_syslibrary_files_1:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerroot_permissions_syslibrary_files_1:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|
| no value | /lib64 | ^.*$ | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupownerroot_permissions_syslibrary_files_0_0:ste:1 |
Testing group ownership of /usr/lib/
oval:ssg-test_file_groupownerroot_permissions_syslibrary_files_2:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerroot_permissions_syslibrary_files_2:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|
| no value | /usr/lib | ^.*$ | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupownerroot_permissions_syslibrary_files_0_0:ste:1 |
Testing group ownership of /usr/lib64/
oval:ssg-test_file_groupownerroot_permissions_syslibrary_files_3:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerroot_permissions_syslibrary_files_3:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|
| no value | /usr/lib64 | ^.*$ | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupownerroot_permissions_syslibrary_files_0_0:ste:1 |
Ensure rootfiles tmpfile.d is Configured Correctlyxccdf_org.ssgproject.content_rule_rootfiles_configured mediumCCE-86474-4
Ensure rootfiles tmpfile.d is Configured Correctly
| Rule ID | xccdf_org.ssgproject.content_rule_rootfiles_configured |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-rootfiles_configured:def:1 |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-86474-4 |
| References: | |
| Description | To set the mode of the root user initialization file /root/.bash_profile,
ensure the following lines are is included in a file ending in .conf under
/etc/tmpfiles.d/.
C /root/.bash_logout 600 root root - /usr/share/rootfiles/.bash_logout
C /root/.bash_profile 600 root root - /usr/share/rootfiles/.bash_profile
C /root/.bashrc 600 root root - /usr/share/rootfiles/.bashrc
C /root/.cshrc 600 root root - /usr/share/rootfiles/.cshrc
C /root/.tcshrc 600 root root - /usr/share/rootfiles/.tcshrc
|
| Rationale | Local initialization files are used to configure the user's shell environment
upon logon. Malicious modification of these files could compromise accounts upon
logon. |
|
|
OVAL test results detailsTests that .bash_logout is configured correctly.
oval:ssg-test_rootfiles_configured_bash_logout:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rootfiles_configured_bash_logout:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/tmpfiles.d/ | ^.*\.conf$ | ^C[[:blank:]]+\/root\/.bash_logout[[:blank:]]+(\d{3})[[:blank:]]+root[[:blank:]]+root[[:blank:]]+-[[:blank:]]+\/usr\/share\/rootfiles/.bash_logout$ | 1 |
Tests that .bash_profile is configured correctly.
oval:ssg-test_rootfiles_configured_bash_profile:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rootfiles_configured_bash_profile:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/tmpfiles.d/ | ^.*\.conf$ | ^C[[:blank:]]+\/root\/.bash_profile[[:blank:]]+(\d{3})[[:blank:]]+root[[:blank:]]+root[[:blank:]]+-[[:blank:]]+\/usr\/share\/rootfiles/.bash_profile$ | 1 |
Tests that .bashrc is configured correctly.
oval:ssg-test_rootfiles_configured_bashrc:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rootfiles_configured_bashrc:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/tmpfiles.d/ | ^.*\.conf$ | ^C[[:blank:]]+\/root\/.bashrc[[:blank:]]+(\d{3})[[:blank:]]+root[[:blank:]]+root[[:blank:]]+-[[:blank:]]+\/usr\/share\/rootfiles/.bashrc$ | 1 |
Tests that .cshrc is configured correctly.
oval:ssg-test_rootfiles_configured_cshrc:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rootfiles_configured_cshrc:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/tmpfiles.d/ | ^.*\.conf$ | ^C[[:blank:]]+\/root\/.cshrc[[:blank:]]+(\d{3})[[:blank:]]+root[[:blank:]]+root[[:blank:]]+-[[:blank:]]+\/usr\/share\/rootfiles/.cshrc$ | 1 |
Tests that .tcshrc is configured correctly.
oval:ssg-test_rootfiles_configured_tcshrc:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rootfiles_configured_tcshrc:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/tmpfiles.d/ | ^.*\.conf$ | ^C[[:blank:]]+\/root\/.tcshrc[[:blank:]]+(\d{3})[[:blank:]]+root[[:blank:]]+root[[:blank:]]+-[[:blank:]]+\/usr\/share\/rootfiles/.tcshrc$ | 1 |
Ensure All World-Writable Directories Are Owned by root Userxccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned mediumCCE-83903-5
Ensure All World-Writable Directories Are Owned by root User
| Rule ID | xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dir_perms_world_writable_root_owned:def:1 |
| Time | 2025-09-21T20:24:49-05:00 |
| Severity | medium |
| Identifiers: | CCE-83903-5 |
| References: | |
| Description | All directories in local partitions which are world-writable should be owned by root.
If any world-writable directories are not owned by root, this should be investigated.
Following this, the files should be deleted or assigned to root user. |
| Rationale | Allowing a user account to own a world-writable directory is undesirable because it allows the
owner of that directory to remove or replace any files that may be placed in the directory by
other users. |
OVAL test results detailscheck for local directories that are world writable and have uid greater than 0
oval:ssg-test_dir_world_writable_uid_gt_zero:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-all_local_directories_uid_zero:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter |
|---|
| no value | / | no value | oval:ssg-state_uid_is_not_root_and_world_writable:ste:1 |
Verify that All World-Writable Directories Have Sticky Bits Setxccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits mediumCCE-83895-3
Verify that All World-Writable Directories Have Sticky Bits Set
| Rule ID | xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dir_perms_world_writable_sticky_bits:def:1 |
| Time | 2025-09-21T20:24:57-05:00 |
| Severity | medium |
| Identifiers: | CCE-83895-3 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000138-GPOS-00069 | | anssi | R54 | | cis | 7.1.11 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232245 | | stigref | SV-257929r958524_rule |
|
| Description | When the so-called 'sticky bit' is set on a directory, only the owner of a given file may
remove that file from the directory. Without the sticky bit, any user with write access to a
directory may remove any file in the directory. Setting the sticky bit prevents users from
removing each other's files. In cases where there is no reason for a directory to be
world-writable, a better solution is to remove that permission rather than to set the sticky
bit. However, if a directory is used by a particular application, consult that application's
documentation instead of blindly changing modes.
To set the sticky bit on a world-writable directory DIR, run the following command:
$ sudo chmod +t DIR
|
| Rationale | Failing to set the sticky bit on public directories allows unauthorized users to delete files
in the directory structure.
The only authorized public directories are those temporary directories supplied with the
system, or those designed to be temporary file repositories. The setting is normally reserved
for directories used by the system, by users for temporary file storage (such as /tmp),
and for directories requiring global read/write access. |
| Warnings | warning
This rule can take a long time to perform the check and might consume a considerable
amount of resources depending on the number of directories present on the system. It is
not a problem in most cases, but especially systems with a large number of directories can
be affected. See https://access.redhat.com/articles/6999111. warning
Please note that there might be cases where the rule remediation cannot fix directory permissions.
This can happen for example when running on a system with some immutable parts.
These immutable parts cannot be remediated because they are read-only.
Example of such directories can be OStree deployments located at /sysroot/ostree/deploy.
In such case, it is needed to make modifications to the underlying ostree snapshot and this is out of scope of regular rule remediation. |
|
|
OVAL test results detailsCheck the existence of world-writable directories without sticky bits
oval:ssg-test_dir_perms_world_writable_sticky_bits:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|
| not evaluated | /opt/share/ | directory | 0 | 0 | 4096 | rwxrwxrwx |
Ensure All Files Are Owned by a Groupxccdf_org.ssgproject.content_rule_file_permissions_ungroupowned mediumCCE-83906-8
Ensure All Files Are Owned by a Group
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_ungroupowned:def:1 |
| Time | 2025-09-21T20:26:03-05:00 |
| Severity | medium |
| Identifiers: | CCE-83906-8 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R53 | | cis | 7.1.12 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232250 | | stigref | SV-257930r991589_rule |
|
| Description | If any file is not group-owned by a valid defined group, the cause of the lack of
group-ownership must be investigated. Following this, those files should be deleted or
assigned to an appropriate group. The groups need to be defined in /etc/group
or in /usr/lib/group if nss-altfiles are configured to be used
in /etc/nsswitch.conf.
Locate the mount points related to local devices by the following command:
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
For all mount points listed by the previous command, it is necessary to search for files which
do not belong to a valid group using the following command:
$ sudo find MOUNTPOINT -xdev -nogroup 2>/dev/null
|
| Rationale | Unowned files do not directly imply a security problem, but they are generally a sign that
something is amiss. They may be caused by an intruder, by incorrect software installation or
draft software removal, or by failure to remove all files belonging to a deleted account, or
other similar cases. The files should be repaired so they will not cause problems when
accounts are created in the future, and the cause should be discovered and addressed. |
| Warnings | warning
This rule only considers local groups as valid groups.
If you have your groups defined outside /etc/group or /usr/lib/group, the rule won't consider those. warning
This rule can take a long time to perform the check and might consume a considerable
amount of resources depending on the number of files present on the system. It is not a
problem in most cases, but especially systems with a large number of files can be affected.
See https://access.redhat.com/articles/6999111. |
OVAL test results detailsTest if /etc/nssswitch.conf contains 'altfiles' in 'group' key
oval:ssg-test_file_permissions_ungroupowned_nsswitch_uses_altfiles:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/nsswitch.conf | group: files [SUCCESS=merge] sss [SUCCESS=merge] systemd |
there are no files with group owner different than local groups
oval:ssg-test_file_permissions_ungroupowned:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_ungroupowned:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|
| /run/media/root/RHEL-9-6-0-BaseOS-x86_64 | | /boot/efi | | /boot | | / | | 19 | | 20 | | 33 | | 39 | | 50 | | 54 | | 63 | | 100 | | 65534 | | 22 | | 5 | | 1 | | 4 | | 3 | | 6 | | 0 | | 12 | | 8 | | 10 | | 7 | | 15 | | 18 | | 11 | | 9 | | 2 | | 35 | | 104 | | 36 | | 105 | | 106 | | 190 | | 999 | | 81 | | 998 | | 70 | | 997 | | 101 | | 172 | | 996 | | 995 | | 994 | | 993 | | 992 | | 59 | | 991 | | 990 | | 989 | | 156 | | 157 | | 158 | | 159 | | 988 | | 987 | | 42 | | 986 | | 985 | | 74 | | 21 | | 984 | | 983 | | 72 | | 1000 |
| no value | .* | oval:ssg-state_file_permissions_ungroupowned_local_group_owner:ste:1 | oval:ssg-state_file_permissions_ungroupowned_sysroot:ste:1 |
Test if /etc/nssswitch.conf contains 'altfiles' in 'group' key
oval:ssg-test_file_permissions_ungroupowned_nsswitch_uses_altfiles:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/nsswitch.conf | group: files [SUCCESS=merge] sss [SUCCESS=merge] systemd |
there are no files with group owner different than local groups
oval:ssg-test_file_permissions_ungroupowned_with_usrlib:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_ungroupowned_with_usrlib:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|
| /run/media/root/RHEL-9-6-0-BaseOS-x86_64 | | /boot/efi | | /boot | | / | | 19 | | 20 | | 33 | | 39 | | 50 | | 54 | | 63 | | 100 | | 65534 | | 22 | | 5 | | 1 | | 4 | | 3 | | 6 | | 0 | | 12 | | 8 | | 10 | | 7 | | 15 | | 18 | | 11 | | 9 | | 2 | | 35 | | 104 | | 36 | | 105 | | 106 | | 190 | | 999 | | 81 | | 998 | | 70 | | 997 | | 101 | | 172 | | 996 | | 995 | | 994 | | 993 | | 992 | | 59 | | 991 | | 990 | | 989 | | 156 | | 157 | | 158 | | 159 | | 988 | | 987 | | 42 | | 986 | | 985 | | 74 | | 21 | | 984 | | 983 | | 72 | | 1000 |
| no value | .* | oval:ssg-state_file_permissions_ungroupowned_local_group_owner_with_usrlib:ste:1 | oval:ssg-state_file_permissions_ungroupowned_sysroot:ste:1 |
Ensure All Files Are Owned by a Userxccdf_org.ssgproject.content_rule_no_files_unowned_by_user mediumCCE-83896-1
Ensure All Files Are Owned by a User
| Rule ID | xccdf_org.ssgproject.content_rule_no_files_unowned_by_user |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_files_unowned_by_user:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83896-1 |
| References: | | cis-csc | 11, 12, 13, 14, 15, 16, 18, 3, 5, 9 | | cobit5 | APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R53 | | cis | 7.1.12 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232255 | | stigref | SV-257931r991589_rule |
|
| Description | If any files are not owned by a user, then the cause of their lack of ownership should be
investigated. Following this, the files should be deleted or assigned to an appropriate user.
Locate the mount points related to local devices by the following command:
$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)
For all mount points listed by the previous command, it is necessary to search for files which
do not belong to a valid user using the following command:
$ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null
|
| Rationale | Unowned files do not directly imply a security problem, but they are generally a sign that
something is amiss. They may be caused by an intruder, by incorrect software installation or
draft software removal, or by failure to remove all files belonging to a deleted account, or
other similar cases. The files should be repaired so they will not cause problems when
accounts are created in the future, and the cause should be discovered and addressed. |
| Warnings | warning
For this rule to evaluate centralized user accounts, getent must be working properly
so that running the command getent passwd returns a list of all users in your organization.
If using the System Security Services Daemon (SSSD), enumerate = true must be configured
in your organization's domain to return a complete list of users warning
This rule can take a long time to perform the check and might consume a considerable
amount of resources depending on the number of files present on the system. It is not a
problem in most cases, but especially systems with a large number of files can be affected.
See https://access.redhat.com/articles/6999111. |
OVAL test results detailsthere are no files without a known owner
oval:ssg-test_no_files_unowned_by_user:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_files_unowned_by_user:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter |
|---|
| 0 | | 1 | | 2 | | 3 | | 4 | | 5 | | 6 | | 7 | | 8 | | 11 | | 12 | | 14 | | 65534 | | 999 | | 81 | | 998 | | 70 | | 172 | | 997 | | 996 | | 994 | | 993 | | 59 | | 992 | | 991 | | 990 | | 159 | | 989 | | 988 | | 42 | | 987 | | 986 | | 74 | | 985 | | 984 | | 72 | | 1000 | | /run/media/root/RHEL-9-6-0-BaseOS-x86_64 | | /boot/efi | | /boot | | / |
| no value | .* | oval:ssg-state_no_files_unowned_by_user_uids_list:ste:1 |
Enable Kernel Parameter to Enforce DAC on Hardlinksxccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks mediumCCE-84110-6
Enable Kernel Parameter to Enforce DAC on Hardlinks
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_fs_protected_hardlinks:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-84110-6 |
| References: | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-6(a), AC-6(1) | | os-srg | SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125 | | anssi | R14 | | stigid | RHEL-09-213030 | | stigref | SV-257801r958702_rule |
|
| Description | To set the runtime status of the fs.protected_hardlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_hardlinks=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.protected_hardlinks = 1
|
| Rationale | By enabling this kernel parameter, users can no longer create soft or hard links to
files which they do not own. Disallowing such hardlinks mitigate vulnerabilities
based on insecure file system accessed by privileged programs, avoiding an
exploitation vector exploiting unsafe use of open() or creat(). |
OVAL test results detailsfs.protected_hardlinks static configuration
oval:ssg-test_sysctl_fs_protected_hardlinks_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_fs_protected_hardlinks:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_fs_protected_hardlinks:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_fs_protected_hardlinks:obj:1
|
fs.protected_hardlinks static configuration
oval:ssg-test_sysctl_fs_protected_hardlinks_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_fs_protected_hardlinks:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_fs_protected_hardlinks:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_fs_protected_hardlinks:obj:1
|
fs.protected_hardlinks static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_fs_protected_hardlinks_static_pkg_correct:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /usr/lib/sysctl.d/50-default.conf | fs.protected_hardlinks = 1 |
kernel runtime parameter fs.protected_hardlinks set to 1
oval:ssg-test_sysctl_fs_protected_hardlinks_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | fs.protected_hardlinks | 1 |
Enable Kernel Parameter to Enforce DAC on Symlinksxccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks mediumCCE-83900-1
Enable Kernel Parameter to Enforce DAC on Symlinks
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_fs_protected_symlinks:def:1 |
| Time | 2025-09-21T20:26:38-05:00 |
| Severity | medium |
| Identifiers: | CCE-83900-1 |
| References: | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-6(a), AC-6(1) | | os-srg | SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125 | | anssi | R14 | | stigid | RHEL-09-213035 | | stigref | SV-257802r958702_rule |
|
| Description | To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_symlinks=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.protected_symlinks = 1
|
| Rationale | By enabling this kernel parameter, symbolic links are permitted to be followed
only when outside a sticky world-writable directory, or when the UID of the
link and follower match, or when the directory owner matches the symlink's owner.
Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system
accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of
open() or creat(). |
OVAL test results detailsfs.protected_symlinks static configuration
oval:ssg-test_sysctl_fs_protected_symlinks_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_fs_protected_symlinks:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_fs_protected_symlinks:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_fs_protected_symlinks:obj:1
|
fs.protected_symlinks static configuration
oval:ssg-test_sysctl_fs_protected_symlinks_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_fs_protected_symlinks:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_fs_protected_symlinks:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_fs_protected_symlinks:obj:1
|
fs.protected_symlinks static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_fs_protected_symlinks_static_pkg_correct:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /usr/lib/sysctl.d/50-default.conf | fs.protected_symlinks = 1
|
kernel runtime parameter fs.protected_symlinks set to 1
oval:ssg-test_sysctl_fs_protected_symlinks_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | fs.protected_symlinks | 1 |
Disable the Automounterxccdf_org.ssgproject.content_rule_service_autofs_disabled mediumCCE-83850-8
Disable the Automounter
| Rule ID | xccdf_org.ssgproject.content_rule_service_autofs_disabled |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-83850-8 |
| References: | | cis-csc | 1, 12, 15, 16, 5 | | cobit5 | APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10 | | cui | 3.4.6 | | hipaa | 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b) | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6 | | iso27001-2013 | A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | CM-7(a), CM-7(b), CM-6(a), MP-7 | | nist-csf | PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7 | | os-srg | SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227 | | cis | 2.1.1 | | stigid | RHEL-09-231040 | | stigref | SV-257849r1044928_rule |
|
| Description | The autofs daemon mounts and unmounts filesystems, such as user
home directories shared via NFS, on demand. In addition, autofs can be used to handle
removable media, and the default configuration provides the cdrom device as /misc/cd.
However, this method of providing access to removable media is not common, so autofs
can almost always be disabled if NFS is not in use. Even if NFS is required, it may be
possible to configure filesystem mounts statically by editing /etc/fstab
rather than relying on the automounter.
The autofs service can be disabled with the following command:
$ sudo systemctl mask --now autofs.service
|
| Rationale | Disabling the automounter permits the administrator to
statically control filesystem mounting through /etc/fstab.
Additionally, automatically mounting filesystems permits easy introduction of
unknown devices, thereby facilitating malicious activity. |
Disable Mounting of cramfsxccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled lowCCE-83853-2
Disable Mounting of cramfs
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_cramfs_disabled:def:1 |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | low |
| Identifiers: | CCE-83853-2 |
| References: | | cis-csc | 11, 14, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06 | | cui | 3.4.6 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.IP-1, PR.PT-3 | | os-srg | SRG-OS-000095-GPOS-00049 | | cis | 1.1.1.1 | | stigid | RHEL-09-231195 | | stigref | SV-257880r1044951_rule |
|
| Description |
To configure the system to prevent the cramfs
kernel module from being loaded, add the following line to the file /etc/modprobe.d/cramfs.conf:
install cramfs /bin/false
This effectively prevents usage of this uncommon filesystem.
The cramfs filesystem type is a compressed read-only
Linux filesystem embedded in small footprint systems. A
cramfs image can be used without having to first
decompress the image. |
| Rationale | Removing support for unneeded filesystem types reduces the local attack surface
of the server. |
|
|
|
OVAL test results detailskernel module cramfs blacklisted
oval:ssg-test_kernmod_cramfs_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_cramfs_blacklisted:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+cramfs$ | 1 |
kernel module cramfs disabled
oval:ssg-test_kernmod_cramfs_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_cramfs_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ | 1 |
Disable Modprobe Loading of USB Storage Driverxccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled mediumCCE-83851-6
Disable Modprobe Loading of USB Storage Driver
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_usb-storage_disabled:def:1 |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-83851-6 |
| References: | | cis-csc | 1, 12, 15, 16, 5 | | cobit5 | APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10 | | cui | 3.1.21 | | hipaa | 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b) | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6 | | iso27001-2013 | A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | CM-7(a), CM-7(b), CM-6(a), MP-7 | | nist-csf | PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7 | | os-srg | SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227 | | app-srg-ctr | SRG-APP-000141-CTR-000315 | | ccn | A.15.SEC-RHEL1 | | cis | 1.1.1.8 | | pcidss4 | 3.4.2, 3.4 | | stigid | RHEL-09-291010 | | stigref | SV-258034r1051267_rule |
|
| Description | To prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver.
To configure the system to prevent the usb-storage
kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf:
install usb-storage /bin/false
This will prevent the modprobe program from loading the usb-storage
module, but will not prevent an administrator (or another program) from using the
insmod program to load the module manually. |
| Rationale | USB storage devices such as thumb drives can be used to introduce
malicious software. |
|
|
|
OVAL test results detailskernel module usb-storage blacklisted
oval:ssg-test_kernmod_usb-storage_blacklisted:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_usb-storage_blacklisted:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^blacklist\s+usb-storage$ | 1 |
kernel module usb-storage disabled
oval:ssg-test_kernmod_usb-storage_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_usb-storage_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | | /etc/modules-load.d | | /run/modprobe.d | | /run/modules-load.d | | /usr/lib/modprobe.d | | /usr/lib/modules-load.d |
| ^.*\.conf$ | ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ | 1 |
Add nosuid Option to /boot/efixccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid mediumCCE-86040-3
Add nosuid Option to /boot/efi
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_boot_efi_nosuid:def:1 |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-86040-3 |
| References: | |
| Description | The nosuid mount option can be used to prevent
execution of setuid programs in /boot/efi. The SUID and SGID permissions
should not be required on the boot partition.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/boot/efi. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from boot partitions. |
|
|
OVAL test results detailsnosuid on /boot/efi
oval:ssg-test_boot_efi_partition_nosuid_optional:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| false | /boot/efi | /dev/nvme0n1p1 | 0C17-2873 | vfat | rw | relatime | fmask=0077 | dmask=0077 | codepage=437 | iocharset=ascii | shortname=winnt | errors=remount-ro | bind | 153296 | 1805 | 151491 |
/boot/efi exists
oval:ssg-test_boot_efi_partition_nosuid_optional_exist:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| not evaluated | /boot/efi | /dev/nvme0n1p1 | 0C17-2873 | vfat | rw | relatime | fmask=0077 | dmask=0077 | codepage=437 | iocharset=ascii | shortname=winnt | errors=remount-ro | bind | 153296 | 1805 | 151491 |
nosuid on /boot/efi in /etc/fstab
oval:ssg-test_boot_efi_partition_nosuid_optional_in_fstab:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/fstab | UUID=0C17-2873 /boot/efi vfat umask=0077,shortname=winnt |
/boot/efi exists in /etc/fstab
oval:ssg-test_boot_efi_partition_nosuid_optional_exist_in_fstab:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/fstab | UUID=0C17-2873 /boot/efi vfat umask=0077,shortname=winnt |
Add nodev Option to /bootxccdf_org.ssgproject.content_rule_mount_option_boot_nodev mediumCCE-83884-7
Add nodev Option to /boot
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_boot_nodev |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_boot_nodev:def:1 |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-83884-7 |
| References: | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7 | | nist-csf | PR.IP-1, PR.PT-2, PR.PT-3 | | os-srg | SRG-OS-000368-GPOS-00154 | | stigid | RHEL-09-231095 | | stigref | SV-257860r1044940_rule |
|
| Description | The nodev mount option can be used to prevent device files from
being created in /boot.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/boot. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
|
|
|
OVAL test results detailsnodev on /boot
oval:ssg-test_boot_partition_nodev_optional:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| false | /boot | /dev/nvme0n1p2 | dbf0cd5e-ebe1-43e8-894f-8a062fc844a3 | xfs | rw | seclabel | relatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | bind | 245760 | 92660 | 153100 |
/boot exists
oval:ssg-test_boot_partition_nodev_optional_exist:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| not evaluated | /boot | /dev/nvme0n1p2 | dbf0cd5e-ebe1-43e8-894f-8a062fc844a3 | xfs | rw | seclabel | relatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | bind | 245760 | 92660 | 153100 |
nodev on /boot in /etc/fstab
oval:ssg-test_boot_partition_nodev_optional_in_fstab:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/fstab | UUID=dbf0cd5e-ebe1-43e8-894f-8a062fc844a3 /boot xfs defaults |
/boot exists in /etc/fstab
oval:ssg-test_boot_partition_nodev_optional_exist_in_fstab:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/fstab | UUID=dbf0cd5e-ebe1-43e8-894f-8a062fc844a3 /boot xfs defaults |
Add nosuid Option to /bootxccdf_org.ssgproject.content_rule_mount_option_boot_nosuid mediumCCE-83877-1
Add nosuid Option to /boot
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_boot_nosuid:def:1 |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-83877-1 |
| References: | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7 | | nist-csf | PR.IP-1, PR.PT-2, PR.PT-3 | | os-srg | SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227 | | anssi | R28 | | stigid | RHEL-09-231100 | | stigref | SV-257861r1044941_rule |
|
| Description | The nosuid mount option can be used to prevent
execution of setuid programs in /boot. The SUID and SGID permissions
should not be required on the boot partition.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/boot. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from boot partitions. |
|
|
|
OVAL test results detailsnosuid on /boot
oval:ssg-test_boot_partition_nosuid_optional:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| false | /boot | /dev/nvme0n1p2 | dbf0cd5e-ebe1-43e8-894f-8a062fc844a3 | xfs | rw | seclabel | relatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | bind | 245760 | 92660 | 153100 |
/boot exists
oval:ssg-test_boot_partition_nosuid_optional_exist:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| not evaluated | /boot | /dev/nvme0n1p2 | dbf0cd5e-ebe1-43e8-894f-8a062fc844a3 | xfs | rw | seclabel | relatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | bind | 245760 | 92660 | 153100 |
nosuid on /boot in /etc/fstab
oval:ssg-test_boot_partition_nosuid_optional_in_fstab:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/fstab | UUID=dbf0cd5e-ebe1-43e8-894f-8a062fc844a3 /boot xfs defaults |
/boot exists in /etc/fstab
oval:ssg-test_boot_partition_nosuid_optional_exist_in_fstab:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/fstab | UUID=dbf0cd5e-ebe1-43e8-894f-8a062fc844a3 /boot xfs defaults |
Add nodev Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev mediumCCE-83881-3
Add nodev Option to /dev/shm
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_dev_shm_nodev:def:1 |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-83881-3 |
| References: | | cis-csc | 11, 13, 14, 3, 8, 9 | | cobit5 | APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7 | | nist-csf | PR.IP-1, PR.PT-2, PR.PT-3 | | os-srg | SRG-OS-000368-GPOS-00154 | | cis | 1.1.2.2.2 | | stigid | RHEL-09-231110 | | stigref | SV-257863r958804_rule |
|
| Description | The nodev mount option can be used to prevent creation of device
files in /dev/shm. Legitimate character and block devices should
not exist within temporary directories like /dev/shm.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
|
|
OVAL test results detailsnodev on /dev/shm
oval:ssg-test_dev_shm_partition_nodev_expected:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| true | /dev/shm | tmpfs | | tmpfs | rw | seclabel | nosuid | nodev | inode64 | 222521 | 0 | 222521 |
/dev/shm exists
oval:ssg-test_dev_shm_partition_nodev_expected_exist:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| not evaluated | /dev/shm | tmpfs | | tmpfs | rw | seclabel | nosuid | nodev | inode64 | 222521 | 0 | 222521 |
nodev on /dev/shm in /etc/fstab
oval:ssg-test_dev_shm_partition_nodev_expected_in_fstab:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_dev_shm_partition_nodev_expected_in_fstab:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/fstab | ^[\s]*(?!#)[\S]+[\s]+/dev/shm[\s]+[\S]+[\s]+([\S]+) | 1 |
Add noexec Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec mediumCCE-83857-3
Add noexec Option to /dev/shm
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_dev_shm_noexec:def:1 |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-83857-3 |
| References: | | cis-csc | 11, 13, 14, 3, 8, 9 | | cobit5 | APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7 | | nist-csf | PR.IP-1, PR.PT-2, PR.PT-3 | | os-srg | SRG-OS-000368-GPOS-00154 | | cis | 1.1.2.2.4 | | stigid | RHEL-09-231115 | | stigref | SV-257864r958804_rule |
|
| Description | The noexec mount option can be used to prevent binaries
from being executed out of /dev/shm.
It can be dangerous to allow the execution of binaries
from world-writable temporary storage directories such as /dev/shm.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm. |
| Rationale | Allowing users to execute binaries from world-writable directories
such as /dev/shm can expose the system to potential compromise. |
|
|
OVAL test results detailsnoexec on /dev/shm
oval:ssg-test_dev_shm_partition_noexec_expected:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| false | /dev/shm | tmpfs | | tmpfs | rw | seclabel | nosuid | nodev | inode64 | 222521 | 0 | 222521 |
/dev/shm exists
oval:ssg-test_dev_shm_partition_noexec_expected_exist:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| not evaluated | /dev/shm | tmpfs | | tmpfs | rw | seclabel | nosuid | nodev | inode64 | 222521 | 0 | 222521 |
noexec on /dev/shm in /etc/fstab
oval:ssg-test_dev_shm_partition_noexec_expected_in_fstab:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_dev_shm_partition_noexec_expected_in_fstab:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/fstab | ^[\s]*(?!#)[\S]+[\s]+/dev/shm[\s]+[\S]+[\s]+([\S]+) | 1 |
Add nosuid Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid mediumCCE-83891-2
Add nosuid Option to /dev/shm
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_dev_shm_nosuid:def:1 |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-83891-2 |
| References: | | cis-csc | 11, 13, 14, 3, 8, 9 | | cobit5 | APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7 | | nist-csf | PR.IP-1, PR.PT-2, PR.PT-3 | | os-srg | SRG-OS-000368-GPOS-00154 | | cis | 1.1.2.2.3 | | stigid | RHEL-09-231120 | | stigref | SV-257865r1044946_rule |
|
| Description | The nosuid mount option can be used to prevent execution
of setuid programs in /dev/shm. The SUID and SGID permissions should not
be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions. |
|
|
OVAL test results detailsnosuid on /dev/shm
oval:ssg-test_dev_shm_partition_nosuid_expected:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| true | /dev/shm | tmpfs | | tmpfs | rw | seclabel | nosuid | nodev | inode64 | 222521 | 0 | 222521 |
/dev/shm exists
oval:ssg-test_dev_shm_partition_nosuid_expected_exist:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| not evaluated | /dev/shm | tmpfs | | tmpfs | rw | seclabel | nosuid | nodev | inode64 | 222521 | 0 | 222521 |
nosuid on /dev/shm in /etc/fstab
oval:ssg-test_dev_shm_partition_nosuid_expected_in_fstab:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_dev_shm_partition_nosuid_expected_in_fstab:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/fstab | ^[\s]*(?!#)[\S]+[\s]+/dev/shm[\s]+[\S]+[\s]+([\S]+) | 1 |
Add nodev Option to /homexccdf_org.ssgproject.content_rule_mount_option_home_nodev unknownCCE-83871-4
Add nodev Option to /home
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_home_nodev |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | unknown |
| Identifiers: | CCE-83871-4 |
| References: | |
| Description | The nodev mount option can be used to prevent device files from
being created in /home.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/home. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
Add noexec Option to /homexccdf_org.ssgproject.content_rule_mount_option_home_noexec mediumCCE-83875-5
Add noexec Option to /home
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_home_noexec |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_home_noexec:def:1 |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-83875-5 |
| References: | |
| Description | The noexec mount option can be used to prevent binaries from being
executed out of /home.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/home. |
| Rationale | The /home directory contains data of individual users. Binaries in
this directory should not be considered as trusted and users should not be
able to execute them. |
OVAL test results detailsnoexec on /home
oval:ssg-test_home_partition_noexec_optional:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_home_partition_noexec_optional:obj:1 of type
partition_object
/home exists
oval:ssg-test_home_partition_noexec_optional_exist:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_home_partition_noexec_optional:obj:1 of type
partition_object
noexec on /home in /etc/fstab
oval:ssg-test_home_partition_noexec_optional_in_fstab:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_home_partition_noexec_optional_in_fstab:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/fstab | ^[\s]*(?!#)[\S]+[\s]+/home[\s]+[\S]+[\s]+([\S]+) | 1 |
/home exists in /etc/fstab
oval:ssg-test_home_partition_noexec_optional_exist_in_fstab:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_home_partition_noexec_optional_in_fstab:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/fstab | ^[\s]*(?!#)[\S]+[\s]+/home[\s]+[\S]+[\s]+([\S]+) | 1 |
Add nosuid Option to /homexccdf_org.ssgproject.content_rule_mount_option_home_nosuid mediumCCE-83894-6
Add nosuid Option to /home
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_home_nosuid |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-83894-6 |
| References: | | cis-csc | 11, 13, 14, 3, 8, 9 | | cobit5 | APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7 | | nist-csf | PR.IP-1, PR.PT-2, PR.PT-3 | | os-srg | SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227 | | anssi | R28 | | cis | 1.1.2.3.3 | | stigid | RHEL-09-231050 | | stigref | SV-257851r1044932_rule |
|
| Description | The nosuid mount option can be used to prevent
execution of setuid programs in /home. The SUID and SGID permissions
should not be required in these user data directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/home. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from user home directory partitions. |
Add nodev Option to Non-Root Local Partitionsxccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions mediumCCE-83873-0
Add nodev Option to Non-Root Local Partitions
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_nodev_nonroot_local_partitions:def:1 |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-83873-0 |
| References: | | cis-csc | 11, 14, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7 | | nist-csf | PR.IP-1, PR.PT-3 | | os-srg | SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227 | | anssi | R28 | | stigid | RHEL-09-231200 | | stigref | SV-257881r991589_rule |
|
| Description | The nodev mount option prevents files from being interpreted as
character or block devices. Legitimate character and block devices should
exist only in the /dev directory on the root partition or within
chroot jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
any non-root local partitions. |
| Rationale | The nodev mount option prevents files from being
interpreted as character or block devices. The only legitimate location
for device files is the /dev directory located on the root partition.
The only exception to this is chroot jails, for which it is not advised
to set nodev on these filesystems. |
|
|
OVAL test results detailsnodev on local filesystems
oval:ssg-test_nodev_nonroot_local_partitions:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_non_root_partitions:obj:1 of type
partition_object
| Mount point | Filter |
|---|
| ^/(?!boot|efi)\w.*$ | oval:ssg-state_local_nodev:ste:1 |
nodev on local filesystems in /etc/fstab
oval:ssg-test_nodev_nonroot_local_partitions_in_fstab:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/fstab | UUID=dbf0cd5e-ebe1-43e8-894f-8a062fc844a3 /boot xfs defaults |
| false | /etc/fstab | UUID=0C17-2873 /boot/efi vfat umask=0077,shortname=winnt |
Add nodev Option to Removable Media Partitionsxccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions mediumCCE-83856-5
Add nodev Option to Removable Media Partitions
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_nodev_removable_partitions:def:1 |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-83856-5 |
| References: | | cis-csc | 11, 12, 13, 14, 16, 3, 8, 9 | | cobit5 | APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.06, DSS05.07, DSS06.03, DSS06.06 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.11.2.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.7.1.1, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, A.9.2.1 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7 | | nist-csf | PR.AC-3, PR.AC-6, PR.IP-1, PR.PT-2, PR.PT-3 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-231085 | | stigref | SV-257858r991589_rule |
|
| Description | The nodev mount option prevents files from being
interpreted as character or block devices.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
any removable media partitions. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. An exception to this is chroot jails, and it is
not advised to set nodev on partitions which contain their root
filesystems. |
OVAL test results detailsCheck if expected removable partitions truly exist on the system
oval:ssg-test_removable_partition_doesnt_exist:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|
| not evaluated | /dev/cdrom | symbolic link | 0 | 0 | 3 | rwxrwxrwx |
Check if removable partition variable value represents CD/DVD drive
oval:ssg-test_var_removable_partition_is_cd_dvd_drive:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-var_removable_partition:var:1 | /dev/cdrom |
'nodev' mount option used for at least one CD / DVD drive alternative names in /etc/fstab
oval:ssg-test_nodev_etc_fstab_cd_dvd_drive:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_nodev_etc_fstab_cd_dvd_drive:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | ^[\s]*/dev/dvd[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | ^[\s]*/dev/scd0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | ^[\s]*/dev/sr0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | /dev/cdrom | | /dev/dvd | | /dev/scd0 | | /dev/sr0 |
| /etc/fstab | 1 |
'CD/DVD drive is not listed in /etc/fstab
oval:ssg-test_no_cd_dvd_drive_in_etc_fstab:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_cd_dvd_drive_in_etc_fstab:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /dev/cdrom | | /dev/dvd | | /dev/scd0 | | /dev/sr0 |
| /etc/fstab | 1 |
Check if removable partition is configured with 'nodev' mount option in /etc/fstab
oval:ssg-test_nodev_etc_fstab_not_cd_dvd_drive:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_nodev_etc_fstab_not_cd_dvd_drive:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | /dev/cdrom |
| /etc/fstab | 1 |
Add noexec Option to Removable Media Partitionsxccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions mediumCCE-83883-9
Add noexec Option to Removable Media Partitions
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_noexec_removable_partitions:def:1 |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-83883-9 |
| References: | | cis-csc | 11, 12, 13, 14, 16, 3, 8, 9 | | cobit5 | APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.06, DSS05.07, DSS06.03, DSS06.06 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.11.2.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.7.1.1, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, A.9.2.1 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7 | | nist-csf | PR.AC-3, PR.AC-6, PR.IP-1, PR.PT-2, PR.PT-3 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-231080 | | stigref | SV-257857r991589_rule |
|
| Description | The noexec mount option prevents the direct execution of binaries
on the mounted filesystem. Preventing the direct execution of binaries from
removable media (such as a USB key) provides a defense against malicious
software that may be present on such untrusted media.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
any removable media partitions. |
| Rationale | Allowing users to execute binaries from removable media such as USB keys exposes
the system to potential compromise. |
OVAL test results detailsCheck if expected removable partitions truly exist on the system
oval:ssg-test_removable_partition_doesnt_exist:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|
| not evaluated | /dev/cdrom | symbolic link | 0 | 0 | 3 | rwxrwxrwx |
Check if removable partition variable value represents CD/DVD drive
oval:ssg-test_var_removable_partition_is_cd_dvd_drive:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-var_removable_partition:var:1 | /dev/cdrom |
'noexec' mount option used for at least one CD / DVD drive alternative names in /etc/fstab
oval:ssg-test_noexec_etc_fstab_cd_dvd_drive:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_noexec_etc_fstab_cd_dvd_drive:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | ^[\s]*/dev/dvd[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | ^[\s]*/dev/scd0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | ^[\s]*/dev/sr0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | /dev/cdrom | | /dev/dvd | | /dev/scd0 | | /dev/sr0 |
| /etc/fstab | 1 |
'CD/DVD drive is not listed in /etc/fstab
oval:ssg-test_no_cd_dvd_drive_in_etc_fstab:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_cd_dvd_drive_in_etc_fstab:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /dev/cdrom | | /dev/dvd | | /dev/scd0 | | /dev/sr0 |
| /etc/fstab | 1 |
Check if removable partition is configured with 'noexec' mount option in /etc/fstab
oval:ssg-test_noexec_etc_fstab_not_cd_dvd_drive:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_noexec_etc_fstab_not_cd_dvd_drive:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | /dev/cdrom |
| /etc/fstab | 1 |
Add nosuid Option to Removable Media Partitionsxccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions mediumCCE-83874-8
Add nosuid Option to Removable Media Partitions
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_nosuid_removable_partitions:def:1 |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-83874-8 |
| References: | | cis-csc | 11, 12, 13, 14, 15, 16, 18, 3, 5, 8, 9 | | cobit5 | APO01.06, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.06, DSS05.07, DSS06.02, DSS06.03, DSS06.06 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.11.2.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7 | | nist-csf | PR.AC-3, PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-2, PR.PT-3 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-231090 | | stigref | SV-257859r991589_rule |
|
| Description | The nosuid mount option prevents set-user-identifier (SUID)
and set-group-identifier (SGID) permissions from taking effect. These permissions
allow users to execute binaries with the same permissions as the owner and group
of the file respectively. Users should not be allowed to introduce SUID and SGID
files into the system via partitions mounted from removeable media.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
any removable media partitions. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Allowing
users to introduce SUID or SGID binaries from partitions mounted off of
removable media would allow them to introduce their own highly-privileged programs. |
OVAL test results detailsCheck if expected removable partitions truly exist on the system
oval:ssg-test_removable_partition_doesnt_exist:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|
| not evaluated | /dev/cdrom | symbolic link | 0 | 0 | 3 | rwxrwxrwx |
Check if removable partition variable value represents CD/DVD drive
oval:ssg-test_var_removable_partition_is_cd_dvd_drive:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-var_removable_partition:var:1 | /dev/cdrom |
'nosuid' mount option used for at least one CD / DVD drive alternative names in /etc/fstab
oval:ssg-test_nosuid_etc_fstab_cd_dvd_drive:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_nosuid_etc_fstab_cd_dvd_drive:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | ^[\s]*/dev/dvd[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | ^[\s]*/dev/scd0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | ^[\s]*/dev/sr0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | /dev/cdrom | | /dev/dvd | | /dev/scd0 | | /dev/sr0 |
| /etc/fstab | 1 |
'CD/DVD drive is not listed in /etc/fstab
oval:ssg-test_no_cd_dvd_drive_in_etc_fstab:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_cd_dvd_drive_in_etc_fstab:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /dev/cdrom | | /dev/dvd | | /dev/scd0 | | /dev/sr0 |
| /etc/fstab | 1 |
Check if removable partition is configured with 'nosuid' mount option in /etc/fstab
oval:ssg-test_nosuid_etc_fstab_not_cd_dvd_drive:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_nosuid_etc_fstab_not_cd_dvd_drive:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ | | /dev/cdrom |
| /etc/fstab | 1 |
Add nodev Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_nodev mediumCCE-83869-8
Add nodev Option to /tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-83869-8 |
| References: | | cis-csc | 11, 13, 14, 3, 8, 9 | | cobit5 | APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7 | | nist-csf | PR.IP-1, PR.PT-2, PR.PT-3 | | os-srg | SRG-OS-000368-GPOS-00154 | | cis | 1.1.2.1.2 | | stigid | RHEL-09-231125 | | stigref | SV-257866r958804_rule |
|
| Description | The nodev mount option can be used to prevent device files from
being created in /tmp. Legitimate character and block devices
should not exist within temporary directories like /tmp.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/tmp. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
Add noexec Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_noexec mediumCCE-83885-4
Add noexec Option to /tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-83885-4 |
| References: | | cis-csc | 11, 13, 14, 3, 8, 9 | | cobit5 | APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7 | | nist-csf | PR.IP-1, PR.PT-2, PR.PT-3 | | os-srg | SRG-OS-000368-GPOS-00154 | | anssi | R28 | | cis | 1.1.2.1.4 | | stigid | RHEL-09-231130 | | stigref | SV-257867r958804_rule |
|
| Description | The noexec mount option can be used to prevent binaries
from being executed out of /tmp.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/tmp. |
| Rationale | Allowing users to execute binaries from world-writable directories
such as /tmp should never be necessary in normal operation and
can expose the system to potential compromise. |
Add nosuid Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid mediumCCE-83872-2
Add nosuid Option to /tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-83872-2 |
| References: | | cis-csc | 11, 13, 14, 3, 8, 9 | | cobit5 | APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7 | | nist-csf | PR.IP-1, PR.PT-2, PR.PT-3 | | os-srg | SRG-OS-000368-GPOS-00154 | | anssi | R28 | | cis | 1.1.2.1.3 | | stigid | RHEL-09-231135 | | stigref | SV-257868r958804_rule |
|
| Description | The nosuid mount option can be used to prevent
execution of setuid programs in /tmp. The SUID and SGID permissions
should not be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/tmp. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions. |
Add nodev Option to /var/log/auditxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev mediumCCE-83882-1
Add nodev Option to /var/log/audit
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-83882-1 |
| References: | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7 | | nist-csf | PR.IP-1, PR.PT-2, PR.PT-3 | | ospp | FMT_SMF_EXT.1 | | os-srg | SRG-OS-000368-GPOS-00154 | | cis | 1.1.2.7.2 | | stigid | RHEL-09-231160 | | stigref | SV-257873r958804_rule |
|
| Description | The nodev mount option can be used to prevent device files from
being created in /var/log/audit.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log/audit. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
Add noexec Option to /var/log/auditxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec mediumCCE-83878-9
Add noexec Option to /var/log/audit
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-83878-9 |
| References: | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7 | | nist-csf | PR.IP-1, PR.PT-2, PR.PT-3 | | ospp | FMT_SMF_EXT.1 | | os-srg | SRG-OS-000368-GPOS-00154 | | cis | 1.1.2.7.4 | | stigid | RHEL-09-231165 | | stigref | SV-257874r958804_rule |
|
| Description | The noexec mount option can be used to prevent binaries
from being executed out of /var/log/audit.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log/audit. |
| Rationale | Allowing users to execute binaries from directories containing audit log files
such as /var/log/audit should never be necessary in normal operation and
can expose the system to potential compromise. |
Add nosuid Option to /var/log/auditxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid mediumCCE-83893-8
Add nosuid Option to /var/log/audit
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-83893-8 |
| References: | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7 | | nist-csf | PR.IP-1, PR.PT-2, PR.PT-3 | | ospp | FMT_SMF_EXT.1 | | os-srg | SRG-OS-000368-GPOS-00154 | | cis | 1.1.2.7.3 | | stigid | RHEL-09-231170 | | stigref | SV-257875r958804_rule |
|
| Description | The nosuid mount option can be used to prevent
execution of setuid programs in /var/log/audit. The SUID and SGID permissions
should not be required in directories containing audit log files.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log/audit. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from partitions
designated for audit log files. |
Add nodev Option to /var/logxccdf_org.ssgproject.content_rule_mount_option_var_log_nodev mediumCCE-83886-2
Add nodev Option to /var/log
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-83886-2 |
| References: | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7 | | nist-csf | PR.IP-1, PR.PT-2, PR.PT-3 | | os-srg | SRG-OS-000368-GPOS-00154 | | cis | 1.1.2.6.2 | | stigid | RHEL-09-231145 | | stigref | SV-257870r958804_rule |
|
| Description | The nodev mount option can be used to prevent device files from
being created in /var/log.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
Add noexec Option to /var/logxccdf_org.ssgproject.content_rule_mount_option_var_log_noexec mediumCCE-83887-0
Add noexec Option to /var/log
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-83887-0 |
| References: | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7 | | nist-csf | PR.IP-1, PR.PT-2, PR.PT-3 | | os-srg | SRG-OS-000368-GPOS-00154 | | anssi | R28 | | cis | 1.1.2.6.4 | | stigid | RHEL-09-231150 | | stigref | SV-257871r958804_rule |
|
| Description | The noexec mount option can be used to prevent binaries
from being executed out of /var/log.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log. |
| Rationale | Allowing users to execute binaries from directories containing log files
such as /var/log should never be necessary in normal operation and
can expose the system to potential compromise. |
Add nosuid Option to /var/logxccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid mediumCCE-83870-6
Add nosuid Option to /var/log
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-83870-6 |
| References: | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7 | | nist-csf | PR.IP-1, PR.PT-2, PR.PT-3 | | os-srg | SRG-OS-000368-GPOS-00154 | | anssi | R28 | | cis | 1.1.2.6.3 | | stigid | RHEL-09-231155 | | stigref | SV-257872r958804_rule |
|
| Description | The nosuid mount option can be used to prevent
execution of setuid programs in /var/log. The SUID and SGID permissions
should not be required in directories containing log files.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from partitions
designated for log files. |
Add nodev Option to /varxccdf_org.ssgproject.content_rule_mount_option_var_nodev mediumCCE-83868-0
Add nodev Option to /var
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_nodev |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-83868-0 |
| References: | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7 | | nist-csf | PR.IP-1, PR.PT-2, PR.PT-3 | | os-srg | SRG-OS-000368-GPOS-00154 | | cis | 1.1.2.4.2 | | stigid | RHEL-09-231140 | | stigref | SV-257869r958804_rule |
|
| Description | The nodev mount option can be used to prevent device files from
being created in /var.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/var. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
Add nodev Option to /var/tmpxccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev mediumCCE-83864-9
Add nodev Option to /var/tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-83864-9 |
| References: | |
| Description | The nodev mount option can be used to prevent device files from
being created in /var/tmp. Legitimate character and block devices
should not exist within temporary directories like /var/tmp.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/tmp. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
Add noexec Option to /var/tmpxccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec mediumCCE-83866-4
Add noexec Option to /var/tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-83866-4 |
| References: | |
| Description | The noexec mount option can be used to prevent binaries
from being executed out of /var/tmp.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/tmp. |
| Rationale | Allowing users to execute binaries from world-writable directories
such as /var/tmp should never be necessary in normal operation and
can expose the system to potential compromise. |
Add nosuid Option to /var/tmpxccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid mediumCCE-83863-1
Add nosuid Option to /var/tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-83863-1 |
| References: | |
| Description | The nosuid mount option can be used to prevent
execution of setuid programs in /var/tmp. The SUID and SGID permissions
should not be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/tmp. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions. |
Disable acquiring, saving, and processing core dumpsxccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled mediumCCE-83974-6
Disable acquiring, saving, and processing core dumps
| Rule ID | xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_systemd-coredump_disabled:def:1 |
| Time | 2025-09-21T20:26:49-05:00 |
| Severity | medium |
| Identifiers: | CCE-83974-6 |
| References: | |
| Description | The systemd-coredump.socket unit is a socket activation of
the systemd-coredump@.service which processes core dumps.
By masking the unit, core dump processing is disabled. |
| Rationale | A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers trying to debug problems. |
|
|
OVAL test results detailsTest that the property LoadState from the systemd-coredump.socket is masked
oval:ssg-test_socket_loadstate_is_masked_systemd-coredump:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Unit | Property | Value |
|---|
| false | systemd-coredump.socket | LoadState | loaded |
Disable core dump backtracesxccdf_org.ssgproject.content_rule_coredump_disable_backtraces mediumCCE-83984-5
Disable core dump backtraces
| Rule ID | xccdf_org.ssgproject.content_rule_coredump_disable_backtraces |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-coredump_disable_backtraces:def:1 |
| Time | 2025-09-21T20:26:49-05:00 |
| Severity | medium |
| Identifiers: | CCE-83984-5 |
| References: | |
| Description | The ProcessSizeMax option in [Coredump] section
of /etc/systemd/coredump.conf
specifies the maximum size in bytes of a core which will be processed.
Core dumps exceeding this size may be stored, but the backtrace will not
be generated. |
| Rationale | A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers or system operators trying to
debug problems.
Enabling core dumps on production systems is not recommended,
however there may be overriding operational requirements to enable advanced
debuging. Permitting temporary enablement of core dumps during such situations
should be reviewed through local needs and policy. |
| Warnings | warning
If the /etc/systemd/coredump.conf file
does not already contain the [Coredump] section,
the value will not be configured correctly. |
|
|
|
OVAL test results detailstests the value of ProcessSizeMax setting in the /etc/systemd/coredump.conf file
oval:ssg-test_coredump_disable_backtraces:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/systemd/coredump.conf |
[Coredump]
#Storage=external
#Compress=yes
ProcessSizeMax=1G |
tests the value of ProcessSizeMax setting in the /etc/systemd/coredump.conf.d file
oval:ssg-test_coredump_disable_backtraces_config_dir:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_coredump_disable_backtraces_config_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/systemd/coredump.conf.d | .*\.conf$ | ^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)ProcessSizeMax(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
Disable storing core dumpxccdf_org.ssgproject.content_rule_coredump_disable_storage mediumCCE-83979-5
Disable storing core dump
| Rule ID | xccdf_org.ssgproject.content_rule_coredump_disable_storage |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-coredump_disable_storage:def:1 |
| Time | 2025-09-21T20:26:49-05:00 |
| Severity | medium |
| Identifiers: | CCE-83979-5 |
| References: | |
| Description | The Storage option in [Coredump] sectionof /etc/systemd/coredump.conf
can be set to none to disable storing core dumps permanently. |
| Rationale | A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers or system operators trying to
debug problems. Enabling core dumps on production systems is not recommended,
however there may be overriding operational requirements to enable advanced
debuging. Permitting temporary enablement of core dumps during such situations
should be reviewed through local needs and policy. |
| Warnings | warning
If the /etc/systemd/coredump.conf file
does not already contain the [Coredump] section,
the value will not be configured correctly. |
|
|
|
OVAL test results detailstests the value of Storage setting in the /etc/systemd/coredump.conf file
oval:ssg-test_coredump_disable_storage:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_coredump_disable_storage:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/systemd/coredump.conf | ^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)Storage(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
tests the value of Storage setting in the /etc/systemd/coredump.conf.d file
oval:ssg-test_coredump_disable_storage_config_dir:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_coredump_disable_storage_config_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/systemd/coredump.conf.d | .*\.conf$ | ^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)Storage(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
Disable Core Dumps for All Usersxccdf_org.ssgproject.content_rule_disable_users_coredumps mediumCCE-83980-3
Disable Core Dumps for All Users
| Rule ID | xccdf_org.ssgproject.content_rule_disable_users_coredumps |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-disable_users_coredumps:def:1 |
| Time | 2025-09-21T20:26:49-05:00 |
| Severity | medium |
| Identifiers: | CCE-83980-3 |
| References: | | cis-csc | 1, 12, 13, 15, 16, 2, 7, 8 | | cobit5 | APO13.01, BAI04.04, DSS01.03, DSS03.05, DSS05.07 | | isa-62443-2013 | SR 6.2, SR 7.1, SR 7.2 | | iso27001-2013 | A.12.1.3, A.17.2.1 | | nist | CM-6, SC-7(10) | | nist-csf | DE.CM-1, PR.DS-4 | | os-srg | SRG-OS-000480-GPOS-00227 | | pcidss4 | 3.3.1.1, 3.3.1, 3.3 | | stigid | RHEL-09-213095 | | stigref | SV-257814r991589_rule |
|
| Description | To disable core dumps for all users, add the following line to
/etc/security/limits.conf, or to a file within the
/etc/security/limits.d/ directory:
* hard core 0
|
| Rationale | A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data and is generally useful
only for developers trying to debug problems. |
|
|
|
OVAL test results detailsTests the value of the ^[\s]*\*[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.d directory
oval:ssg-test_core_dumps_limits_d:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_core_dumps_limits_d:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/security/limits.d | ^.*\.conf$ | ^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+) | 1 |
Tests for existance of the ^[\s]*\*[\s]+(hard|-)[\s]+core setting in the /etc/security/limits.d directory
oval:ssg-test_core_dumps_limits_d_exists:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_core_dumps_limits_d_exists:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/security/limits.d | ^.*\.conf$ | ^[\s]*\*[\s]+(?:hard|-)[\s]+core | 1 |
Tests the value of the ^[\s]*\*[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.conf file
oval:ssg-test_core_dumps_limitsconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_core_dumps_limitsconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/security/limits.conf | ^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+) | 1 |
Enable ExecShield via sysctlxccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield mediumCCE-83970-4
Enable ExecShield via sysctl
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_exec_shield:def:1 |
| Time | 2025-09-21T20:26:49-05:00 |
| Severity | medium |
| Identifiers: | CCE-83970-4 |
| References: | | cis-csc | 12, 15, 8 | | cobit5 | APO13.01, DSS05.02 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e) | | isa-62443-2013 | SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | | iso27001-2013 | A.13.1.1, A.13.2.1, A.14.1.3 | | nist | SC-39, CM-6(a) | | nist-csf | PR.PT-4 | | os-srg | SRG-OS-000433-GPOS-00192 | | stigid | RHEL-09-213110 | | stigref | SV-257817r1069383_rule |
|
| Description | By default on Red Hat Enterprise Linux 9 64-bit systems, ExecShield is
enabled and can only be disabled if the hardware does not support
ExecShield or is disabled in /etc/default/grub. |
| Rationale | ExecShield uses the segmentation feature on all x86 systems to prevent
execution in memory higher than a certain address. It writes an address as
a limit in the code segment descriptor, to control where code can be
executed, on a per-process basis. When the kernel places a process's memory
regions such as the stack and heap higher than this address, the hardware
prevents execution in that address range. This is enabled by default on the
latest Red Hat and Fedora systems if supported by the hardware. |
OVAL test results details64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
NX is disabled
oval:ssg-test_nx_disabled_grub:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_nx_disabled_grub:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /boot/grub2/grub.cfg | [\s]*noexec[\s]*=[\s]*off | 1 |
Restrict Exposed Kernel Pointer Addresses Accessxccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict mediumCCE-83972-0
Restrict Exposed Kernel Pointer Addresses Access
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_kptr_restrict:def:1 |
| Time | 2025-09-21T20:26:50-05:00 |
| Severity | medium |
| Identifiers: | CCE-83972-0 |
| References: | | nerc-cip | CIP-002-5 R1.1, CIP-002-5 R1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 4.1, CIP-004-6 4.2, CIP-004-6 R2.2.3, CIP-004-6 R2.2.4, CIP-004-6 R2.3, CIP-004-6 R4, CIP-005-6 R1, CIP-005-6 R1.1, CIP-005-6 R1.2, CIP-007-3 R3, CIP-007-3 R3.1, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R8.4, CIP-009-6 R.1.1, CIP-009-6 R4 | | nist | SC-30, SC-30(2), SC-30(5), CM-6(a) | | ospp | FMT_SMF_EXT.1 | | os-srg | SRG-OS-000132-GPOS-00067, SRG-OS-000433-GPOS-00192, SRG-OS-000480-GPOS-00227 | | anssi | R9 | | stigid | RHEL-09-213025 | | stigref | SV-257800r1044851_rule |
|
| Description | To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.kptr_restrict=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.kptr_restrict = 1
|
| Rationale | Exposing kernel pointers (through procfs or seq_printf()) exposes kernel
writeable structures which may contain functions pointers. If a write vulnerability
occurs in the kernel, allowing write access to any of this structure, the kernel can
be compromised. This option disallow any program without the CAP_SYSLOG capability
to get the addresses of kernel pointers by replacing them with 0. |
OVAL test results detailskernel.kptr_restrict static configuration
oval:ssg-test_sysctl_kernel_kptr_restrict_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_kptr_restrict:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_kptr_restrict:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_kptr_restrict:obj:1
|
kernel.kptr_restrict static configuration
oval:ssg-test_sysctl_kernel_kptr_restrict_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_kptr_restrict:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_kptr_restrict:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_kptr_restrict:obj:1
|
kernel.kptr_restrict static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_kernel_kptr_restrict_static_pkg_correct:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /usr/lib/sysctl.d/50-redhat.conf | kernel.kptr_restrict = 1
|
kernel runtime parameter kernel.kptr_restrict set to 1 or 2
oval:ssg-test_sysctl_kernel_kptr_restrict_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | kernel.kptr_restrict | 1 |
Enable Randomized Layout of Virtual Address Spacexccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space mediumCCE-83971-2
Enable Randomized Layout of Virtual Address Space
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_randomize_va_space:def:1 |
| Time | 2025-09-21T20:26:50-05:00 |
| Severity | medium |
| Identifiers: | CCE-83971-2 |
| References: | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e) | | nerc-cip | CIP-002-5 R1.1, CIP-002-5 R1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 4.1, CIP-004-6 4.2, CIP-004-6 R2.2.3, CIP-004-6 R2.2.4, CIP-004-6 R2.3, CIP-004-6 R4, CIP-005-6 R1, CIP-005-6 R1.1, CIP-005-6 R1.2, CIP-007-3 R3, CIP-007-3 R3.1, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R8.4, CIP-009-6 R.1.1, CIP-009-6 R4 | | nist | SC-30, SC-30(2), CM-6(a) | | pcidss | Req-2.2.1 | | os-srg | SRG-OS-000433-GPOS-00193, SRG-OS-000480-GPOS-00227 | | app-srg-ctr | SRG-APP-000450-CTR-001105 | | anssi | R9 | | cis | 1.5.1 | | pcidss4 | 3.3.1.1, 3.3.1, 3.3 | | stigid | RHEL-09-213070 | | stigref | SV-257809r1044866_rule |
|
| Description | To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: $ sudo sysctl -w kernel.randomize_va_space=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.randomize_va_space = 2
|
| Rationale | Address space layout randomization (ASLR) makes it more difficult for an
attacker to predict the location of attack code they have introduced into a
process's address space during an attempt at exploitation. Additionally,
ASLR makes it more difficult for an attacker to know the location of
existing code in order to re-purpose it using return oriented programming
(ROP) techniques. |
|
|
|
OVAL test results detailskernel.randomize_va_space static configuration
oval:ssg-test_sysctl_kernel_randomize_va_space_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_randomize_va_space:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_randomize_va_space:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_randomize_va_space:obj:1
|
kernel.randomize_va_space static configuration
oval:ssg-test_sysctl_kernel_randomize_va_space_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_randomize_va_space:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_randomize_va_space:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_randomize_va_space:obj:1
|
kernel.randomize_va_space static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_kernel_randomize_va_space_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_kernel_randomize_va_space:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.randomize_va_space[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter kernel.randomize_va_space set to 2
oval:ssg-test_sysctl_kernel_randomize_va_space_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | kernel.randomize_va_space | 2 |
Enable page allocator poisoningxccdf_org.ssgproject.content_rule_grub2_page_poison_argument mediumCCE-83985-2
Enable page allocator poisoning
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_page_poison_argument |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_page_poison_argument:def:1 |
| Time | 2025-09-21T20:26:50-05:00 |
| Severity | medium |
| Identifiers: | CCE-83985-2 |
| References: | |
| Description | To enable poisoning of free pages,
add the argument page_poison=1 to the default
GRUB 2 command line for the Linux operating system.
To ensure that page_poison=1 is added as a kernel command line
argument to newly installed kernels, add page_poison=1 to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... page_poison=1 ..."
Run the following command to update command line for already installed kernels: # grubby --update-kernel=ALL --args="page_poison=1"
If the system is distributed as a bootable container image, GRUB2 can't be configured using the method described above, but the following method needs to be used instead.
The kernel arguments should be set in /usr/lib/bootc/kargs.d in a TOML file that has the following form:
# /usr/lib/bootc/kargs.d/10-example.toml
kargs = ["page_poison=1"]
For more details on configuring kernel arguments in bootable container images, please refer to Bootc documentation. |
| Rationale | Poisoning writes an arbitrary value to freed pages, so any modification or
reference to that page after being freed or before being initialized will be
detected and prevented.
This prevents many types of use-after-free vulnerabilities at little performance cost.
Also prevents leak of data and detection of corrupted memory. |
|
|
|
|
OVAL test results detailspackage kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
check kernel command line parameters for page_poison=1 for all boot entries.
oval:ssg-test_grub2_page_poison_entries:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /boot/loader/entries/563df4c43387434ca51a65ee039b44ee-5.14.0-570.44.1.el9_6.x86_64.conf | options root=/dev/mapper/rhel_desktop--rncu7uo-root ro crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=/dev/mapper/rhel_desktop--rncu7uo-swap rd.lvm.lv=rhel_desktop-rncu7uo/root rd.lvm.lv=rhel_desktop-rncu7uo/swap rhgb quiet |
check for page_poison=1 in /etc/default/grub via GRUB_CMDLINE_LINUX
oval:ssg-test_grub2_page_poison_argument:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/default/grub | GRUB_CMDLINE_LINUX="crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=/dev/mapper/rhel_desktop--rncu7uo-swap rd.lvm.lv=rhel_desktop-rncu7uo/root rd.lvm.lv=rhel_desktop-rncu7uo/swap rhgb quiet" |
check for page_poison=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT
oval:ssg-test_grub2_page_poison_argument_default:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_page_poison_argument_default:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/default/grub | ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ | 1 |
Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub
oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/default/grub | GRUB_DISABLE_RECOVERY="true" |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
check kernel command line parameters for page_poison=1 for all boot entries.
oval:ssg-test_grub2_page_poison_usr_lib_bootc_kargs_d:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_page_poison_usr_lib_bootc_kargs_d:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/bootc/kargs.d/ | ^.*\.toml$ | ^kargs = \[([^\]]+)\]$ | 1 |
Disable storing core dumpsxccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern mediumCCE-83961-3
Disable storing core dumps
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_core_pattern:def:1 |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | medium |
| Identifiers: | CCE-83961-3 |
| References: | |
| Description | To set the runtime status of the kernel.core_pattern kernel parameter, run the following command: $ sudo sysctl -w kernel.core_pattern=|/bin/false
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.core_pattern = |/bin/false
|
| Rationale | A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data and is generally useful
only for developers trying to debug problems. |
|
|
|
OVAL test results detailskernel.core_pattern static configuration
oval:ssg-test_sysctl_kernel_core_pattern_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_core_pattern:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_core_pattern:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_core_pattern:obj:1
|
kernel.core_pattern static configuration
oval:ssg-test_sysctl_kernel_core_pattern_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_core_pattern:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_core_pattern:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_core_pattern:obj:1
|
kernel.core_pattern static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_kernel_core_pattern_static_pkg_correct:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /usr/lib/sysctl.d/50-coredump.conf | kernel.core_pattern=|/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h
|
kernel runtime parameter kernel.core_pattern set to |/bin/false
oval:ssg-test_sysctl_kernel_core_pattern_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | kernel.core_pattern | |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h |
Restrict Access to Kernel Message Bufferxccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict lowCCE-83952-2
Restrict Access to Kernel Message Buffer
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_dmesg_restrict:def:1 |
| Time | 2025-09-21T20:26:48-05:00 |
| Severity | low |
| Identifiers: | CCE-83952-2 |
| References: | | cui | 3.1.5 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e) | | nist | SI-11(a), SI-11(b) | | ospp | FMT_SMF_EXT.1 | | os-srg | SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069 | | app-srg-ctr | SRG-APP-000243-CTR-000600 | | anssi | R9 | | stigid | RHEL-09-213010 | | stigref | SV-257797r958514_rule |
|
| Description | To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.dmesg_restrict=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.dmesg_restrict = 1
|
| Rationale | Unprivileged access to the kernel syslog can expose sensitive kernel
address information. |
|
|
|
OVAL test results detailskernel.dmesg_restrict static configuration
oval:ssg-test_sysctl_kernel_dmesg_restrict_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_dmesg_restrict:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_dmesg_restrict:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_dmesg_restrict:obj:1
|
kernel.dmesg_restrict static configuration
oval:ssg-test_sysctl_kernel_dmesg_restrict_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_dmesg_restrict:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_dmesg_restrict:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_dmesg_restrict:obj:1
|
kernel.dmesg_restrict static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_kernel_dmesg_restrict_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_kernel_dmesg_restrict:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter kernel.dmesg_restrict set to 1
oval:ssg-test_sysctl_kernel_dmesg_restrict_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | kernel.dmesg_restrict | 0 |
Disable Kernel Image Loadingxccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled mediumCCE-83954-8
Disable Kernel Image Loading
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_kexec_load_disabled:def:1 |
| Time | 2025-09-21T20:26:49-05:00 |
| Severity | medium |
| Identifiers: | CCE-83954-8 |
| References: | |
| Description | To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command: $ sudo sysctl -w kernel.kexec_load_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.kexec_load_disabled = 1
|
| Rationale | Disabling kexec_load allows greater control of the kernel memory.
It makes it impossible to load another kernel image after it has been disabled.
|
|
|
|
OVAL test results detailskernel.kexec_load_disabled static configuration
oval:ssg-test_sysctl_kernel_kexec_load_disabled_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_kexec_load_disabled:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_kexec_load_disabled:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_kexec_load_disabled:obj:1
|
kernel.kexec_load_disabled static configuration
oval:ssg-test_sysctl_kernel_kexec_load_disabled_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_kexec_load_disabled:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_kexec_load_disabled:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_kexec_load_disabled:obj:1
|
kernel.kexec_load_disabled static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_kernel_kexec_load_disabled_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_kernel_kexec_load_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter kernel.kexec_load_disabled set to 1
oval:ssg-test_sysctl_kernel_kexec_load_disabled_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | kernel.kexec_load_disabled | 0 |
Disallow kernel profiling by unprivileged usersxccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid lowCCE-83959-7
Disallow kernel profiling by unprivileged users
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_perf_event_paranoid:def:1 |
| Time | 2025-09-21T20:26:49-05:00 |
| Severity | low |
| Identifiers: | CCE-83959-7 |
| References: | |
| Description | To set the runtime status of the kernel.perf_event_paranoid kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_event_paranoid=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.perf_event_paranoid = 2
|
| Rationale | Kernel profiling can reveal sensitive information about kernel behaviour. |
|
|
|
OVAL test results detailskernel.perf_event_paranoid static configuration
oval:ssg-test_sysctl_kernel_perf_event_paranoid_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_perf_event_paranoid:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_perf_event_paranoid:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_perf_event_paranoid:obj:1
|
kernel.perf_event_paranoid static configuration
oval:ssg-test_sysctl_kernel_perf_event_paranoid_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_perf_event_paranoid:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_perf_event_paranoid:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_perf_event_paranoid:obj:1
|
kernel.perf_event_paranoid static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_kernel_perf_event_paranoid_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_kernel_perf_event_paranoid:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter kernel.perf_event_paranoid set to 2
oval:ssg-test_sysctl_kernel_perf_event_paranoid_runtime:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| true | kernel.perf_event_paranoid | 2 |
Disable Access to Network bpf() Syscall From Unprivileged Processesxccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled mediumCCE-83957-1
Disable Access to Network bpf() Syscall From Unprivileged Processes
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_unprivileged_bpf_disabled:def:1 |
| Time | 2025-09-21T20:26:49-05:00 |
| Severity | medium |
| Identifiers: | CCE-83957-1 |
| References: | |
| Description | To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command: $ sudo sysctl -w kernel.unprivileged_bpf_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.unprivileged_bpf_disabled = 1
|
| Rationale | Loading and accessing the packet filters programs and maps using the bpf()
syscall has the potential of revealing sensitive information about the kernel state. |
|
|
|
OVAL test results detailskernel.unprivileged_bpf_disabled static configuration
oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_unprivileged_bpf_disabled:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_unprivileged_bpf_disabled:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_unprivileged_bpf_disabled:obj:1
|
kernel.unprivileged_bpf_disabled static configuration
oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_unprivileged_bpf_disabled:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_unprivileged_bpf_disabled:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_unprivileged_bpf_disabled:obj:1
|
kernel.unprivileged_bpf_disabled static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_kernel_unprivileged_bpf_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter kernel.unprivileged_bpf_disabled set to 1
oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | kernel.unprivileged_bpf_disabled | 2 |
Restrict usage of ptrace to descendant processesxccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope mediumCCE-83965-4
Restrict usage of ptrace to descendant processes
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_yama_ptrace_scope:def:1 |
| Time | 2025-09-21T20:26:49-05:00 |
| Severity | medium |
| Identifiers: | CCE-83965-4 |
| References: | |
| Description | To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command: $ sudo sysctl -w kernel.yama.ptrace_scope=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.yama.ptrace_scope = 1
|
| Rationale | Unrestricted usage of ptrace allows compromised binaries to run ptrace
on another processes of the user. Like this, the attacker can steal
sensitive information from the target processes (e.g. SSH sessions, web browser, ...)
without any additional assistance from the user (i.e. without resorting to phishing).
|
|
|
|
OVAL test results detailskernel.yama.ptrace_scope static configuration
oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_yama_ptrace_scope:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_yama_ptrace_scope:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_yama_ptrace_scope:obj:1
|
kernel.yama.ptrace_scope static configuration
oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_kernel_yama_ptrace_scope:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_yama_ptrace_scope:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_yama_ptrace_scope:obj:1
|
kernel.yama.ptrace_scope static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static_pkg_correct:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /usr/lib/sysctl.d/10-default-yama-scope.conf | kernel.yama.ptrace_scope = 0
|
kernel runtime parameter kernel.yama.ptrace_scope set to 1
oval:ssg-test_sysctl_kernel_yama_ptrace_scope_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | kernel.yama.ptrace_scope | 0 |
Harden the operation of the BPF just-in-time compilerxccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden mediumCCE-83966-2
Harden the operation of the BPF just-in-time compiler
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_core_bpf_jit_harden:def:1 |
| Time | 2025-09-21T20:26:49-05:00 |
| Severity | medium |
| Identifiers: | CCE-83966-2 |
| References: | |
| Description | To set the runtime status of the net.core.bpf_jit_harden kernel parameter, run the following command: $ sudo sysctl -w net.core.bpf_jit_harden=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.core.bpf_jit_harden = 2
|
| Rationale | When hardened, the extended Berkeley Packet Filter just-in-time compiler
will randomize any kernel addresses in the BPF programs and maps,
and will not expose the JIT addresses in /proc/kallsyms. |
|
|
|
OVAL test results detailsnet.core.bpf_jit_harden static configuration
oval:ssg-test_sysctl_net_core_bpf_jit_harden_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_core_bpf_jit_harden:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_core_bpf_jit_harden:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_core_bpf_jit_harden:obj:1
|
net.core.bpf_jit_harden static configuration
oval:ssg-test_sysctl_net_core_bpf_jit_harden_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_net_core_bpf_jit_harden:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_net_core_bpf_jit_harden:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_core_bpf_jit_harden:obj:1
|
net.core.bpf_jit_harden static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_net_core_bpf_jit_harden_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_core_bpf_jit_harden:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter net.core.bpf_jit_harden set to 2
oval:ssg-test_sysctl_net_core_bpf_jit_harden_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | net.core.bpf_jit_harden | 1 |
Disable the use of user namespacesxccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces_no_remediation mediumCCE-86209-4
Disable the use of user namespaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces_no_remediation |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_user_max_user_namespaces_no_remediation:def:1 |
| Time | 2025-09-21T20:26:49-05:00 |
| Severity | medium |
| Identifiers: | CCE-86209-4 |
| References: | |
| Description | To set the runtime status of the user.max_user_namespaces kernel parameter,
run the following command:
$ sudo sysctl -w user.max_user_namespaces=0
To make sure that the setting is persistent,
add the following line to a file in the directory /etc/sysctl.d:
user.max_user_namespaces = 0
When containers are deployed on the machine, the value should be set
to large non-zero value. |
| Rationale | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or system objectives.
These unnecessary capabilities or services are often overlooked and therefore may remain unsecured.
They increase the risk to the platform by providing additional attack vectors.
User namespaces are used primarily for Linux containers. The value 0
disallows the use of user namespaces. |
| Warnings | warning
This configuration baseline was created to deploy the base operating system for general purpose
workloads. When the operating system is configured for certain purposes, such as to host Linux Containers,
it is expected that user.max_user_namespaces will be enabled.
Note that this rule deliberately does not have remediations attached.
Use the sysctl_user_max_user_namespaces if you want to utilize remediation for this rule. |
OVAL test results detailsuser.max_user_namespaces static configuration
oval:ssg-test_sysctl_user_max_user_namespaces_no_remediation_static_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_user_max_user_namespaces_no_remediation:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_user_max_user_namespaces_no_remediation:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_user_max_user_namespaces_no_remediation:obj:1
|
user.max_user_namespaces static configuration
oval:ssg-test_sysctl_user_max_user_namespaces_no_remediation_static_user_missing:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_static_user_sysctl_user_max_user_namespaces_no_remediation:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_static_etc_lib_sysctls_sysctl_user_max_user_namespaces_no_remediation:obj:1
oval:ssg-object_static_run_usr_local_sysctls_sysctl_user_max_user_namespaces_no_remediation:obj:1
|
user.max_user_namespaces static configuration in /usr/lib/sysctl.d/*.conf
oval:ssg-test_sysctl_user_max_user_namespaces_no_remediation_static_pkg_correct:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_sysctl_user_max_user_namespaces_no_remediation:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*user.max_user_namespaces[\s]*=[\s]*(.*\S)[\s]*$ | 1 |
kernel runtime parameter user.max_user_namespaces set to 0
oval:ssg-test_sysctl_user_max_user_namespaces_no_remediation_runtime:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Value |
|---|
| false | user.max_user_namespaces | 6691 |
Install policycoreutils-python-utils packagexccdf_org.ssgproject.content_rule_package_policycoreutils-python-utils_installed mediumCCE-84070-2
Install policycoreutils-python-utils package
| Rule ID | xccdf_org.ssgproject.content_rule_package_policycoreutils-python-utils_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_policycoreutils-python-utils_installed:def:1 |
| Time | 2025-09-21T20:26:50-05:00 |
| Severity | medium |
| Identifiers: | CCE-84070-2 |
| References: | |
| Description | The policycoreutils-python-utils package can be installed with the following command:
$ sudo dnf install policycoreutils-python-utils
|
| Rationale | This package is required to operate and manage an SELinux environment and its policies.
It provides utilities such as semanage, audit2allow, audit2why, chcat and sandbox. |
OVAL test results detailspackage policycoreutils-python-utils is installed
oval:ssg-test_package_policycoreutils-python-utils_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | policycoreutils-python-utils | noarch | (none) | 2.1.el9 | 3.6 | 0:3.6-2.1.el9 | 199e2f91fd431d51 | policycoreutils-python-utils-0:3.6-2.1.el9.noarch |
Install policycoreutils Packagexccdf_org.ssgproject.content_rule_package_policycoreutils_installed lowCCE-84071-0
Install policycoreutils Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_policycoreutils_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_policycoreutils_installed:def:1 |
| Time | 2025-09-21T20:26:50-05:00 |
| Severity | low |
| Identifiers: | CCE-84071-0 |
| References: | | os-srg | SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068 | | stigid | RHEL-09-431025 | | stigref | SV-258081r1045164_rule |
|
| Description | The policycoreutils package can be installed with the following command:
$ sudo dnf install policycoreutils
|
| Rationale | Security-enhanced Linux is a feature of the Linux kernel and a number of utilities
with enhanced security functionality designed to add mandatory access controls to Linux.
The Security-enhanced Linux kernel contains new architectural components originally
developed to improve security of the Flask operating system. These architectural components
provide general support for the enforcement of many kinds of mandatory access control
policies, including those based on the concepts of Type Enforcement, Role-based Access
Control, and Multi-level Security.
policycoreutils contains the policy core utilities that are required for
basic operation of an SELinux-enabled system. These utilities include load_policy
to load SELinux policies, setfiles to label filesystems, newrole to
switch roles, and so on. |
OVAL test results detailspackage policycoreutils is installed
oval:ssg-test_package_policycoreutils_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | policycoreutils | x86_64 | (none) | 2.1.el9 | 3.6 | 0:3.6-2.1.el9 | 199e2f91fd431d51 | policycoreutils-0:3.6-2.1.el9.x86_64 |
Ensure No Device Files are Unlabeled by SELinuxxccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled mediumCCE-85920-7
Ensure No Device Files are Unlabeled by SELinux
| Rule ID | xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-selinux_all_devicefiles_labeled:def:1 |
| Time | 2025-09-21T20:26:50-05:00 |
| Severity | medium |
| Identifiers: | CCE-85920-7 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO01.06, APO11.04, BAI01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, MEA02.01 | | cui | 3.1.2, 3.1.5, 3.7.2 | | isa-62443-2009 | 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 5.2, SR 6.2, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-7(a), CM-7(b), CM-6(a), AC-3(3)(a), AC-6 | | nist-csf | DE.CM-1, DE.CM-7, PR.AC-4, PR.DS-5, PR.IP-1, PR.IP-3, PR.PT-1, PR.PT-3 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-232260 | | stigref | SV-257932r1014838_rule |
|
| Description | Device files, which are used for communication with important system
resources, should be labeled with proper SELinux types. If any device files
carry the SELinux type device_t or unlabeled_t, report the
bug so that policy can be corrected. Supply information about what the
device is and what programs use it.
To check for incorrectly labeled device files, run following commands:
$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"
It should produce no output in a well-configured system. |
| Rationale | If a device file carries the SELinux type device_t or
unlabeled_t, then SELinux cannot properly restrict access to the
device file. |
| Warnings | warning
Automatic remediation of this control is not available. The remediation
can be achieved by amending SELinux policy. |
OVAL test results detailsdevice_t in /dev
oval:ssg-test_selinux_dev_device_t:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_selinux_dev_device_t:obj:1 of type
selinuxsecuritycontext_object
| Filepath | Filter |
|---|
| /dev/vhost-net | | /dev/vhci | | /dev/vfio/vfio | | /dev/uinput | | /dev/net/tun | | /dev/lp3 | | /dev/nvme0n2 | | /dev/ng0n1 | | /dev/nvme0n1p3 | | /dev/nvme0n1p2 | | /dev/nvme0n1p1 | | /dev/nvme0n1 | | /dev/nvme0 | | /dev/dm-0 | | /dev/sr0 | | /dev/fb0 | | /dev/usbmon3 | | /dev/usbmon2 | | /dev/usbmon1 | | /dev/usbmon0 | | /dev/udmabuf | | /dev/nvram | | /dev/hpet | | /dev/ttyS3 | | /dev/ttyS2 | | /dev/ttyS1 | | /dev/ttyS0 | | /dev/ptmx | | /dev/autofs | | /dev/userfaultfd | | /dev/snapshot | | /dev/hwrng | | /dev/tty63 | | /dev/tty62 | | /dev/tty61 | | /dev/tty60 | | /dev/tty59 | | /dev/tty58 | | /dev/tty57 | | /dev/tty56 | | /dev/tty55 | | /dev/vsock | | /dev/vcsu4 | | /dev/vcs4 | | /dev/vcsa3 | | /dev/vcsu3 | | /dev/vcs3 | | /dev/vcsa2 | | /dev/vcsa6 | | /dev/vcsu6 | | /dev/vcs6 | | /dev/vcsa5 | | /dev/vcsu5 | | /dev/vcs5 | | /dev/vcsa4 | | /dev/vcsu2 | | /dev/vcs2 | | /dev/dmmidi | | /dev/midi | | /dev/vhost-vsock | | /dev/uhid | | /dev/loop-control | | /dev/fuse | | /dev/pts/ptmx | | /dev/cpu_dma_latency | | /dev/mcelog | | /dev/hidraw0 | | /dev/rtc0 | | /dev/input/event3 | | /dev/tty54 | | /dev/tty53 | | /dev/tty52 | | /dev/tty51 | | /dev/tty50 | | /dev/tty49 | | /dev/tty48 | | /dev/tty47 | | /dev/tty46 | | /dev/tty45 | | /dev/tty44 | | /dev/tty43 | | /dev/tty42 | | /dev/tty41 | | /dev/tty40 | | /dev/tty39 | | /dev/tty38 | | /dev/tty37 | | /dev/tty36 | | /dev/tty35 | | /dev/tty34 | | /dev/tty33 | | /dev/tty32 | | /dev/tty31 | | /dev/tty30 | | /dev/tty29 | | /dev/tty28 | | /dev/tty27 | | /dev/tty26 | | /dev/tty25 | | /dev/tty24 | | /dev/tty23 | | /dev/tty22 | | /dev/tty21 | | /dev/tty20 | | /dev/tty19 | | /dev/tty18 | | /dev/tty17 | | /dev/tty16 | | /dev/tty15 | | /dev/tty14 | | /dev/tty13 | | /dev/tty12 | | /dev/tty11 | | /dev/tty10 | | /dev/tty9 | | /dev/tty8 | | /dev/tty7 | | /dev/tty6 | | /dev/tty5 | | /dev/tty4 | | /dev/tty3 | | /dev/tty2 | | /dev/tty1 | | /dev/vcsa1 | | /dev/vcsu1 | | /dev/vcs1 | | /dev/vcsa | | /dev/vcsu | | /dev/tty0 | | /dev/console | | /dev/kmsg | | /dev/urandom | | /dev/random | | /dev/full | | /dev/zero | | /dev/port | | /dev/null | | /dev/vga_arbiter | | /dev/snd/timer | | /dev/vmci | | /dev/snd/controlC0 | | /dev/snd/midiC0D0 | | /dev/snd/pcmC0D1p | | /dev/snd/pcmC0D0c | | /dev/snd/pcmC0D0p | | /dev/snd/seq | | /dev/ppp | | /dev/lp2 | | /dev/lp1 | | /dev/lp0 | | /dev/dm-1 | | /dev/dri/card0 | | /dev/dri/renderD128 | | /dev/sg0 | | /dev/bsg/3:0:0:0 | | /dev/ng0n2 | | /dev/rfkill | | /dev/mapper/control | | /dev/pts/0 | | /dev/input/js0 | | /dev/input/event6 | | /dev/input/mouse3 | | /dev/input/event5 | | /dev/input/event4 | | /dev/bus/usb/004/001 | | /dev/input/mouse2 | | /dev/input/mouse1 | | /dev/input/event2 | | /dev/input/mouse0 | | /dev/input/event1 | | /dev/input/event0 | | /dev/input/mice | | /dev/usbmon4 | | /dev/bus/usb/002/001 | | /dev/bus/usb/003/002 | | /dev/bus/usb/003/001 | | /dev/dma_heap/system | | /dev/cpu/3/cpuid | | /dev/bus/usb/001/001 | | /dev/cpu/2/cpuid | | /dev/cpu/1/cpuid | | /dev/cpu/3/msr | | /dev/cpu/0/cpuid | | /dev/cpu/2/msr | | /dev/cpu/1/msr | | /dev/cpu/0/msr | | /dev/vcs | | /dev/tty | | /dev/mem |
| oval:ssg-state_selinux_dev_device_t:ste:1 |
unlabeled_t in /dev
oval:ssg-test_selinux_dev_unlabeled_t:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_selinux_dev_unlabeled_t:obj:1 of type
selinuxsecuritycontext_object
| Filepath | Filter |
|---|
| /dev/vhost-net | | /dev/vhci | | /dev/vfio/vfio | | /dev/uinput | | /dev/net/tun | | /dev/lp3 | | /dev/nvme0n2 | | /dev/ng0n1 | | /dev/nvme0n1p3 | | /dev/nvme0n1p2 | | /dev/nvme0n1p1 | | /dev/nvme0n1 | | /dev/nvme0 | | /dev/dm-0 | | /dev/sr0 | | /dev/fb0 | | /dev/usbmon3 | | /dev/usbmon2 | | /dev/usbmon1 | | /dev/usbmon0 | | /dev/udmabuf | | /dev/nvram | | /dev/hpet | | /dev/ttyS3 | | /dev/ttyS2 | | /dev/ttyS1 | | /dev/ttyS0 | | /dev/ptmx | | /dev/autofs | | /dev/userfaultfd | | /dev/snapshot | | /dev/hwrng | | /dev/tty63 | | /dev/tty62 | | /dev/tty61 | | /dev/tty60 | | /dev/tty59 | | /dev/tty58 | | /dev/tty57 | | /dev/tty56 | | /dev/tty55 | | /dev/vsock | | /dev/vcsu4 | | /dev/vcs4 | | /dev/vcsa3 | | /dev/vcsu3 | | /dev/vcs3 | | /dev/vcsa2 | | /dev/vcsa6 | | /dev/vcsu6 | | /dev/vcs6 | | /dev/vcsa5 | | /dev/vcsu5 | | /dev/vcs5 | | /dev/vcsa4 | | /dev/vcsu2 | | /dev/vcs2 | | /dev/dmmidi | | /dev/midi | | /dev/vhost-vsock | | /dev/uhid | | /dev/loop-control | | /dev/fuse | | /dev/pts/ptmx | | /dev/cpu_dma_latency | | /dev/mcelog | | /dev/hidraw0 | | /dev/rtc0 | | /dev/input/event3 | | /dev/tty54 | | /dev/tty53 | | /dev/tty52 | | /dev/tty51 | | /dev/tty50 | | /dev/tty49 | | /dev/tty48 | | /dev/tty47 | | /dev/tty46 | | /dev/tty45 | | /dev/tty44 | | /dev/tty43 | | /dev/tty42 | | /dev/tty41 | | /dev/tty40 | | /dev/tty39 | | /dev/tty38 | | /dev/tty37 | | /dev/tty36 | | /dev/tty35 | | /dev/tty34 | | /dev/tty33 | | /dev/tty32 | | /dev/tty31 | | /dev/tty30 | | /dev/tty29 | | /dev/tty28 | | /dev/tty27 | | /dev/tty26 | | /dev/tty25 | | /dev/tty24 | | /dev/tty23 | | /dev/tty22 | | /dev/tty21 | | /dev/tty20 | | /dev/tty19 | | /dev/tty18 | | /dev/tty17 | | /dev/tty16 | | /dev/tty15 | | /dev/tty14 | | /dev/tty13 | | /dev/tty12 | | /dev/tty11 | | /dev/tty10 | | /dev/tty9 | | /dev/tty8 | | /dev/tty7 | | /dev/tty6 | | /dev/tty5 | | /dev/tty4 | | /dev/tty3 | | /dev/tty2 | | /dev/tty1 | | /dev/vcsa1 | | /dev/vcsu1 | | /dev/vcs1 | | /dev/vcsa | | /dev/vcsu | | /dev/tty0 | | /dev/console | | /dev/kmsg | | /dev/urandom | | /dev/random | | /dev/full | | /dev/zero | | /dev/port | | /dev/null | | /dev/vga_arbiter | | /dev/snd/timer | | /dev/vmci | | /dev/snd/controlC0 | | /dev/snd/midiC0D0 | | /dev/snd/pcmC0D1p | | /dev/snd/pcmC0D0c | | /dev/snd/pcmC0D0p | | /dev/snd/seq | | /dev/ppp | | /dev/lp2 | | /dev/lp1 | | /dev/lp0 | | /dev/dm-1 | | /dev/dri/card0 | | /dev/dri/renderD128 | | /dev/sg0 | | /dev/bsg/3:0:0:0 | | /dev/ng0n2 | | /dev/rfkill | | /dev/mapper/control | | /dev/pts/0 | | /dev/input/js0 | | /dev/input/event6 | | /dev/input/mouse3 | | /dev/input/event5 | | /dev/input/event4 | | /dev/bus/usb/004/001 | | /dev/input/mouse2 | | /dev/input/mouse1 | | /dev/input/event2 | | /dev/input/mouse0 | | /dev/input/event1 | | /dev/input/event0 | | /dev/input/mice | | /dev/usbmon4 | | /dev/bus/usb/002/001 | | /dev/bus/usb/003/002 | | /dev/bus/usb/003/001 | | /dev/dma_heap/system | | /dev/cpu/3/cpuid | | /dev/bus/usb/001/001 | | /dev/cpu/2/cpuid | | /dev/cpu/1/cpuid | | /dev/cpu/3/msr | | /dev/cpu/0/cpuid | | /dev/cpu/2/msr | | /dev/cpu/1/msr | | /dev/cpu/0/msr | | /dev/vcs | | /dev/tty | | /dev/mem |
| oval:ssg-state_selinux_dev_unlabeled_t:ste:1 |
Elevate The SELinux Context When An Administrator Calls The Sudo Commandxccdf_org.ssgproject.content_rule_selinux_context_elevation_for_sudo mediumCCE-86576-6
Elevate The SELinux Context When An Administrator Calls The Sudo Command
| Rule ID | xccdf_org.ssgproject.content_rule_selinux_context_elevation_for_sudo |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-selinux_context_elevation_for_sudo:def:1 |
| Time | 2025-09-21T20:26:50-05:00 |
| Severity | medium |
| Identifiers: | CCE-86576-6 |
| References: | |
| Description | Configure the operating system to elevate the SELinux context when an administrator calls
the sudo command.
Edit a file in the /etc/sudoers.d directory with the following command:
sudo visudo -f /etc/sudoers.d/CUSTOM_FILE
Use the following example to build the CUSTOM_FILE in the /etc/sudoers.d directory
to allow any administrator belonging to a designated sudoers admin group to elevate their
SELinux context with the use of the sudo command:
%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL
|
| Rationale | Preventing non-privileged users from executing privileged functions mitigates
the risk that unauthorized individuals or processes may gain unnecessary access
to information or privileges.
Privileged functions include, for example,
establishing accounts, performing system integrity checks, or administering
cryptographic key management activities. Non-privileged users are individuals
who do not possess appropriate authorizations. Circumventing intrusion detection
and prevention mechanisms or malicious code protection mechanisms are examples
of privileged functions that require protection from non-privileged users. |
OVAL test results detailscheck correct configuration in /etc/sudoers and /etc/sudoers.d/*
oval:ssg-test_sudo_selinux_elevation_type:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sudo_selinux_elevation_type:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/sudoers(\.d/.*)?$ | ^\s*%\w+.*TYPE=(\w+).*$ | 1 |
check correct configuration in /etc/sudoers and /etc/sudoers.d/*
oval:ssg-test_sudo_selinux_elevation_role:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sudo_selinux_elevation_role:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/sudoers(\.d/.*)?$ | ^\s*%\w+.*ROLE=(\w+).*$ | 1 |
Configure SELinux Policyxccdf_org.ssgproject.content_rule_selinux_policytype mediumCCE-84074-4
Configure SELinux Policy
| Rule ID | xccdf_org.ssgproject.content_rule_selinux_policytype |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-selinux_policytype:def:1 |
| Time | 2025-09-21T20:26:50-05:00 |
| Severity | medium |
| Identifiers: | CCE-84074-4 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9 | | cobit5 | APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01 | | cui | 3.1.2, 3.7.2 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e) | | isa-62443-2009 | 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5 | | nist | AC-3, AC-3(3)(a), AU-9, SC-7(21) | | nist-csf | DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4 | | ospp | FMT_MOF_EXT.1 | | os-srg | SRG-OS-000445-GPOS-00199 | | app-srg-ctr | SRG-APP-000233-CTR-000585 | | anssi | R46, R64 | | bsi | APP.4.4.A4, SYS.1.6.A3, SYS.1.6.A18, SYS.1.6.A21 | | ccn | A.6.SEC-RHEL1 | | cis | 1.3.1.3 | | pcidss4 | 1.2.6, 1.2 | | stigid | RHEL-09-431015 | | stigref | SV-258079r1045159_rule |
|
| Description | The SELinux targeted policy is appropriate for
general-purpose desktops and servers, as well as systems in many other roles.
To configure the system to use this policy, add or correct the following line
in /etc/selinux/config:
SELINUXTYPE=targeted
Other policies, such as mls, provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases. |
| Rationale | Setting the SELinux policy to targeted or a more specialized policy
ensures the system will confine processes that are likely to be
targeted for exploitation, such as network or system services.
Note: During the development or debugging of SELinux modules, it is common to
temporarily place non-production systems in permissive mode. In such
temporary cases, SELinux policies should be developed, and once work
is completed, the system should be reconfigured to
targeted. |
OVAL test results detailstests the value of SELINUXTYPE setting in the /etc/selinux/config file
oval:ssg-test_selinux_policytype:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/selinux/config | SELINUXTYPE=targeted |
The configuration file /etc/selinux/config exists for selinux_policytype
oval:ssg-test_selinux_policytype_config_file_exists:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|
| not evaluated | /etc/selinux/config | regular | 0 | 0 | 1263 | rw-r--r-- |
Ensure SELinux State is Enforcingxccdf_org.ssgproject.content_rule_selinux_state highCCE-84079-3
Ensure SELinux State is Enforcing
| Rule ID | xccdf_org.ssgproject.content_rule_selinux_state |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-selinux_state:def:1 |
| Time | 2025-09-21T20:26:50-05:00 |
| Severity | high |
| Identifiers: | CCE-84079-3 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9 | | cobit5 | APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01 | | cui | 3.1.2, 3.7.2 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e) | | isa-62443-2009 | 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5 | | nist | AC-3, AC-3(3)(a), AU-9, SC-7(21) | | nist-csf | DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4 | | ospp | FMT_MOF_EXT.1 | | os-srg | SRG-OS-000445-GPOS-00199, SRG-OS-000134-GPOS-00068 | | anssi | R37, R79 | | bsi | APP.4.4.A4, SYS.1.6.A3, SYS.1.6.A18, SYS.1.6.A21 | | ccn | A.6.SEC-RHEL1 | | cis | 1.3.1.5 | | pcidss4 | 1.2.6, 1.2 | | stigid | RHEL-09-431010 | | stigref | SV-258078r958944_rule |
|
| Description | The SELinux state should be set to enforcing at
system boot time. In the file /etc/selinux/config, add or correct the
following line to configure the system to boot into enforcing mode:
SELINUX=enforcing
|
| Rationale | Setting the SELinux state to enforcing ensures SELinux is able to confine
potentially compromised processes to the security policy, which is designed to
prevent them from causing damage to the system or further elevating their
privileges. |
OVAL test results details/selinux/enforce is 1
oval:ssg-test_etc_selinux_config:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/selinux/config | SELINUX=enforcing |
Disable KDump Kernel Crash Analyzer (kdump)xccdf_org.ssgproject.content_rule_service_kdump_disabled mediumCCE-84232-8
Disable KDump Kernel Crash Analyzer (kdump)
| Rule ID | xccdf_org.ssgproject.content_rule_service_kdump_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_kdump_disabled:def:1 |
| Time | 2025-09-21T20:26:51-05:00 |
| Severity | medium |
| Identifiers: | CCE-84232-8 |
| References: | | cis-csc | 11, 12, 14, 15, 3, 8, 9 | | cobit5 | APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e) | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4 | | ospp | FMT_SMF_EXT.1.1 | | os-srg | SRG-OS-000269-GPOS-00103, SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-213115 | | stigref | SV-257818r1044876_rule |
|
| Description | The kdump service provides a kernel crash dump analyzer. It uses the kexec
system call to boot a secondary kernel ("capture" kernel) following a system
crash, which can load information from the crashed kernel for analysis.
The kdump service can be disabled with the following command:
$ sudo systemctl mask --now kdump.service
|
| Rationale | Kernel core dumps may contain the full contents of system memory at the
time of the crash. Kernel core dumps consume a considerable amount of disk
space and may result in denial of service by exhausting the available space
on the target file system partition. Unless the system is used for kernel
development or testing, there is little need to run the kdump service. |
|
|
|
|
|
|
OVAL test results detailspackage kexec-tools is removed
oval:ssg-service_kdump_disabled_test_service_kdump_package_kexec-tools_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kexec-tools | x86_64 | (none) | 5.el9_6.2 | 2.0.29 | 0:2.0.29-5.el9_6.2 | 199e2f91fd431d51 | kexec-tools-0:2.0.29-5.el9_6.2.x86_64 |
Test that the kdump service is not running
oval:ssg-test_service_not_running_service_kdump_disabled_kdump:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Unit | Property | Value |
|---|
| false | kdump.service | ActiveState | active |
Test that the property LoadState from the service kdump is masked
oval:ssg-test_service_loadstate_is_masked_service_kdump_disabled_kdump:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Unit | Property | Value |
|---|
| false | kdump.service | LoadState | loaded |
Install the cron servicexccdf_org.ssgproject.content_rule_package_cron_installed mediumCCE-86170-8
Install the cron service
| Rule ID | xccdf_org.ssgproject.content_rule_package_cron_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_cron_installed:def:1 |
| Time | 2025-09-21T20:26:51-05:00 |
| Severity | medium |
| Identifiers: | CCE-86170-8 |
| References: | | cis-csc | 11, 14, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06 | | hipaa | 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2 | | nist | CM-6(a) | | nist-csf | PR.IP-1, PR.PT-3 | | os-srg | SRG-OS-000480-GPOS-00227 | | cis | 2.4.1.1 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232040 | | stigref | SV-257888r1069378_rule |
|
| Description | The Cron service should be installed. |
| Rationale | The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only. |
OVAL test results detailspackage cronie is installed
oval:ssg-test_package_cronie_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | cronie | x86_64 | (none) | 14.el9_6 | 1.5.7 | 0:1.5.7-14.el9_6 | 199e2f91fd431d51 | cronie-0:1.5.7-14.el9_6.x86_64 |
Verify Group Who Owns cron.dxccdf_org.ssgproject.content_rule_file_groupowner_cron_d mediumCCE-84177-5
Verify Group Who Owns cron.d
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_cron_d |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_cron_d:def:1 |
| Time | 2025-09-21T20:26:51-05:00 |
| Severity | medium |
| Identifiers: | CCE-84177-5 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | cis | 2.4.1.7 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232235 | | stigref | SV-257927r991589_rule |
|
| Description |
To properly set the group owner of /etc/cron.d, run the command:
$ sudo chgrp root /etc/cron.d
|
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
OVAL test results detailsTesting group ownership of /etc/cron.d/
oval:ssg-test_file_groupowner_cron_d_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_d_0:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| /etc/cron.d | no value | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupowner_cron_d_0_0:ste:1 |
Verify Group Who Owns cron.dailyxccdf_org.ssgproject.content_rule_file_groupowner_cron_daily mediumCCE-84170-0
Verify Group Who Owns cron.daily
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_cron_daily |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_cron_daily:def:1 |
| Time | 2025-09-21T20:26:51-05:00 |
| Severity | medium |
| Identifiers: | CCE-84170-0 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | cis | 2.4.1.4 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232235 | | stigref | SV-257927r991589_rule |
|
| Description |
To properly set the group owner of /etc/cron.daily, run the command:
$ sudo chgrp root /etc/cron.daily
|
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
OVAL test results detailsTesting group ownership of /etc/cron.daily/
oval:ssg-test_file_groupowner_cron_daily_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_daily_0:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| /etc/cron.daily | no value | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupowner_cron_daily_0_0:ste:1 |
Verify Group Who Owns cron.denyxccdf_org.ssgproject.content_rule_file_groupowner_cron_deny mediumCCE-86537-8
Verify Group Who Owns cron.deny
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_cron_deny |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_cron_deny:def:1 |
| Time | 2025-09-21T20:26:51-05:00 |
| Severity | medium |
| Identifiers: | CCE-86537-8 |
| References: | |
| Description |
To properly set the group owner of /etc/cron.deny, run the command:
$ sudo chgrp root /etc/cron.deny
|
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
OVAL test results detailsTesting group ownership of /etc/cron.deny
oval:ssg-test_file_groupowner_cron_deny_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_deny_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/cron.deny | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupowner_cron_deny_0_0:ste:1 |
Verify Group Who Owns cron.hourlyxccdf_org.ssgproject.content_rule_file_groupowner_cron_hourly mediumCCE-84186-6
Verify Group Who Owns cron.hourly
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_cron_hourly |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_cron_hourly:def:1 |
| Time | 2025-09-21T20:26:51-05:00 |
| Severity | medium |
| Identifiers: | CCE-84186-6 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | cis | 2.4.1.3 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232235 | | stigref | SV-257927r991589_rule |
|
| Description |
To properly set the group owner of /etc/cron.hourly, run the command:
$ sudo chgrp root /etc/cron.hourly
|
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
OVAL test results detailsTesting group ownership of /etc/cron.hourly/
oval:ssg-test_file_groupowner_cron_hourly_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_hourly_0:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| /etc/cron.hourly | no value | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupowner_cron_hourly_0_0:ste:1 |
Verify Group Who Owns cron.monthlyxccdf_org.ssgproject.content_rule_file_groupowner_cron_monthly mediumCCE-84189-0
Verify Group Who Owns cron.monthly
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_cron_monthly |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_cron_monthly:def:1 |
| Time | 2025-09-21T20:26:51-05:00 |
| Severity | medium |
| Identifiers: | CCE-84189-0 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | cis | 2.4.1.6 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232235 | | stigref | SV-257927r991589_rule |
|
| Description |
To properly set the group owner of /etc/cron.monthly, run the command:
$ sudo chgrp root /etc/cron.monthly
|
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
OVAL test results detailsTesting group ownership of /etc/cron.monthly/
oval:ssg-test_file_groupowner_cron_monthly_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_monthly_0:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| /etc/cron.monthly | no value | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupowner_cron_monthly_0_0:ste:1 |
Verify Group Who Owns cron.weeklyxccdf_org.ssgproject.content_rule_file_groupowner_cron_weekly mediumCCE-84174-2
Verify Group Who Owns cron.weekly
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_cron_weekly |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_cron_weekly:def:1 |
| Time | 2025-09-21T20:26:51-05:00 |
| Severity | medium |
| Identifiers: | CCE-84174-2 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | cis | 2.4.1.5 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232235 | | stigref | SV-257927r991589_rule |
|
| Description |
To properly set the group owner of /etc/cron.weekly, run the command:
$ sudo chgrp root /etc/cron.weekly
|
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
OVAL test results detailsTesting group ownership of /etc/cron.weekly/
oval:ssg-test_file_groupowner_cron_weekly_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_weekly_0:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| /etc/cron.weekly | no value | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupowner_cron_weekly_0_0:ste:1 |
Verify Group Who Owns Crontabxccdf_org.ssgproject.content_rule_file_groupowner_crontab mediumCCE-84171-8
Verify Group Who Owns Crontab
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_crontab |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_crontab:def:1 |
| Time | 2025-09-21T20:26:51-05:00 |
| Severity | medium |
| Identifiers: | CCE-84171-8 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | cis | 2.4.1.2 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232235 | | stigref | SV-257927r991589_rule |
|
| Description |
To properly set the group owner of /etc/crontab, run the command:
$ sudo chgrp root /etc/crontab
|
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
OVAL test results detailsTesting group ownership of /etc/crontab
oval:ssg-test_file_groupowner_crontab_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_crontab_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/crontab | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupowner_crontab_0_0:ste:1 |
Verify Owner on cron.dxccdf_org.ssgproject.content_rule_file_owner_cron_d mediumCCE-84169-2
Verify Owner on cron.d
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_cron_d |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_cron_d:def:1 |
| Time | 2025-09-21T20:26:51-05:00 |
| Severity | medium |
| Identifiers: | CCE-84169-2 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | cis | 2.4.1.7 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232230 | | stigref | SV-257926r991589_rule |
|
| Description |
To properly set the owner of /etc/cron.d, run the command:
$ sudo chown root /etc/cron.d
|
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct user to prevent unauthorized changes. |
OVAL test results detailsTesting user ownership of /etc/cron.d/
oval:ssg-test_file_owner_cron_d_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_d_0:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| /etc/cron.d | no value | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_owner_cron_d_0_0:ste:1 |
Verify Owner on cron.dailyxccdf_org.ssgproject.content_rule_file_owner_cron_daily mediumCCE-84188-2
Verify Owner on cron.daily
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_cron_daily |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_cron_daily:def:1 |
| Time | 2025-09-21T20:26:51-05:00 |
| Severity | medium |
| Identifiers: | CCE-84188-2 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | cis | 2.4.1.4 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232230 | | stigref | SV-257926r991589_rule |
|
| Description |
To properly set the owner of /etc/cron.daily, run the command:
$ sudo chown root /etc/cron.daily
|
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct user to prevent unauthorized changes. |
OVAL test results detailsTesting user ownership of /etc/cron.daily/
oval:ssg-test_file_owner_cron_daily_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_daily_0:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| /etc/cron.daily | no value | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_owner_cron_daily_0_0:ste:1 |
Verify Owner on cron.denyxccdf_org.ssgproject.content_rule_file_owner_cron_deny mediumCCE-86887-7
Verify Owner on cron.deny
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_cron_deny |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_cron_deny:def:1 |
| Time | 2025-09-21T20:26:51-05:00 |
| Severity | medium |
| Identifiers: | CCE-86887-7 |
| References: | |
| Description |
To properly set the owner of /etc/cron.deny, run the command:
$ sudo chown root /etc/cron.deny
|
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct user to prevent unauthorized changes. |
OVAL test results detailsTesting user ownership of /etc/cron.deny
oval:ssg-test_file_owner_cron_deny_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_deny_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/cron.deny | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_owner_cron_deny_0_0:ste:1 |
Verify Owner on cron.hourlyxccdf_org.ssgproject.content_rule_file_owner_cron_hourly mediumCCE-84168-4
Verify Owner on cron.hourly
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_cron_hourly |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_cron_hourly:def:1 |
| Time | 2025-09-21T20:26:51-05:00 |
| Severity | medium |
| Identifiers: | CCE-84168-4 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | cis | 2.4.1.3 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232230 | | stigref | SV-257926r991589_rule |
|
| Description |
To properly set the owner of /etc/cron.hourly, run the command:
$ sudo chown root /etc/cron.hourly
|
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct user to prevent unauthorized changes. |
OVAL test results detailsTesting user ownership of /etc/cron.hourly/
oval:ssg-test_file_owner_cron_hourly_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_hourly_0:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| /etc/cron.hourly | no value | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_owner_cron_hourly_0_0:ste:1 |
Verify Owner on cron.monthlyxccdf_org.ssgproject.content_rule_file_owner_cron_monthly mediumCCE-84179-1
Verify Owner on cron.monthly
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_cron_monthly |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_cron_monthly:def:1 |
| Time | 2025-09-21T20:26:51-05:00 |
| Severity | medium |
| Identifiers: | CCE-84179-1 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | cis | 2.4.1.6 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232230 | | stigref | SV-257926r991589_rule |
|
| Description |
To properly set the owner of /etc/cron.monthly, run the command:
$ sudo chown root /etc/cron.monthly
|
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct user to prevent unauthorized changes. |
OVAL test results detailsTesting user ownership of /etc/cron.monthly/
oval:ssg-test_file_owner_cron_monthly_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_monthly_0:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| /etc/cron.monthly | no value | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_owner_cron_monthly_0_0:ste:1 |
Verify Owner on cron.weeklyxccdf_org.ssgproject.content_rule_file_owner_cron_weekly mediumCCE-84190-8
Verify Owner on cron.weekly
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_cron_weekly |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_cron_weekly:def:1 |
| Time | 2025-09-21T20:26:51-05:00 |
| Severity | medium |
| Identifiers: | CCE-84190-8 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | cis | 2.4.1.5 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232230 | | stigref | SV-257926r991589_rule |
|
| Description |
To properly set the owner of /etc/cron.weekly, run the command:
$ sudo chown root /etc/cron.weekly
|
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct user to prevent unauthorized changes. |
OVAL test results detailsTesting user ownership of /etc/cron.weekly/
oval:ssg-test_file_owner_cron_weekly_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_weekly_0:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| /etc/cron.weekly | no value | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_owner_cron_weekly_0_0:ste:1 |
Verify Owner on crontabxccdf_org.ssgproject.content_rule_file_owner_crontab mediumCCE-84167-6
Verify Owner on crontab
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_crontab |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_crontab:def:1 |
| Time | 2025-09-21T20:26:51-05:00 |
| Severity | medium |
| Identifiers: | CCE-84167-6 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | cis | 2.4.1.2 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232230 | | stigref | SV-257926r991589_rule |
|
| Description |
To properly set the owner of /etc/crontab, run the command:
$ sudo chown root /etc/crontab
|
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct user to prevent unauthorized changes. |
OVAL test results detailsTesting user ownership of /etc/crontab
oval:ssg-test_file_owner_crontab_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_crontab_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/crontab | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_owner_crontab_0_0:ste:1 |
Verify Permissions on cron.dxccdf_org.ssgproject.content_rule_file_permissions_cron_d mediumCCE-84183-3
Verify Permissions on cron.d
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_cron_d |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_cron_d:def:1 |
| Time | 2025-09-21T20:26:51-05:00 |
| Severity | medium |
| Identifiers: | CCE-84183-3 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | cis | 2.4.1.7 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232040 | | stigref | SV-257888r1069378_rule |
|
| Description |
To properly set the permissions of /etc/cron.d, run the command:
$ sudo chmod 0700 /etc/cron.d
|
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the
correct access rights to prevent unauthorized changes. |
|
|
OVAL test results detailsTesting mode of /etc/cron.d/
oval:ssg-test_file_permissions_cron_d_0:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|
| not evaluated | /etc/cron.d/ | directory | 0 | 0 | 21 | rwxr-xr-x |
Verify Permissions on cron.dailyxccdf_org.ssgproject.content_rule_file_permissions_cron_daily mediumCCE-84175-9
Verify Permissions on cron.daily
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_cron_daily |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_cron_daily:def:1 |
| Time | 2025-09-21T20:26:51-05:00 |
| Severity | medium |
| Identifiers: | CCE-84175-9 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | cis | 2.4.1.4 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232040 | | stigref | SV-257888r1069378_rule |
|
| Description |
To properly set the permissions of /etc/cron.daily, run the command:
$ sudo chmod 0700 /etc/cron.daily
|
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the
correct access rights to prevent unauthorized changes. |
|
|
OVAL test results detailsTesting mode of /etc/cron.daily/
oval:ssg-test_file_permissions_cron_daily_0:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|
| not evaluated | /etc/cron.daily/ | directory | 0 | 0 | 6 | rwxr-xr-x |
Verify Permissions on cron.hourlyxccdf_org.ssgproject.content_rule_file_permissions_cron_hourly mediumCCE-84173-4
Verify Permissions on cron.hourly
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_cron_hourly |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_cron_hourly:def:1 |
| Time | 2025-09-21T20:26:51-05:00 |
| Severity | medium |
| Identifiers: | CCE-84173-4 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | cis | 2.4.1.3 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232040 | | stigref | SV-257888r1069378_rule |
|
| Description |
To properly set the permissions of /etc/cron.hourly, run the command:
$ sudo chmod 0700 /etc/cron.hourly
|
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the
correct access rights to prevent unauthorized changes. |
|
|
OVAL test results detailsTesting mode of /etc/cron.hourly/
oval:ssg-test_file_permissions_cron_hourly_0:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|
| not evaluated | /etc/cron.hourly/ | directory | 0 | 0 | 22 | rwxr-xr-x |
Verify Permissions on cron.monthlyxccdf_org.ssgproject.content_rule_file_permissions_cron_monthly mediumCCE-84181-7
Verify Permissions on cron.monthly
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_cron_monthly |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_cron_monthly:def:1 |
| Time | 2025-09-21T20:26:51-05:00 |
| Severity | medium |
| Identifiers: | CCE-84181-7 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | cis | 2.4.1.6 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232040 | | stigref | SV-257888r1069378_rule |
|
| Description |
To properly set the permissions of /etc/cron.monthly, run the command:
$ sudo chmod 0700 /etc/cron.monthly
|
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the
correct access rights to prevent unauthorized changes. |
|
|
OVAL test results detailsTesting mode of /etc/cron.monthly/
oval:ssg-test_file_permissions_cron_monthly_0:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|
| not evaluated | /etc/cron.monthly/ | directory | 0 | 0 | 6 | rwxr-xr-x |
Verify Permissions on cron.weeklyxccdf_org.ssgproject.content_rule_file_permissions_cron_weekly mediumCCE-84187-4
Verify Permissions on cron.weekly
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_cron_weekly |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_cron_weekly:def:1 |
| Time | 2025-09-21T20:26:51-05:00 |
| Severity | medium |
| Identifiers: | CCE-84187-4 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | cis | 2.4.1.5 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-232040 | | stigref | SV-257888r1069378_rule |
|
| Description |
To properly set the permissions of /etc/cron.weekly, run the command:
$ sudo chmod 0700 /etc/cron.weekly
|
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the
correct access rights to prevent unauthorized changes. |
|
|
OVAL test results detailsTesting mode of /etc/cron.weekly/
oval:ssg-test_file_permissions_cron_weekly_0:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|
| not evaluated | /etc/cron.weekly/ | directory | 0 | 0 | 6 | rwxr-xr-x |
Install fapolicyd Packagexccdf_org.ssgproject.content_rule_package_fapolicyd_installed mediumCCE-84224-5
Install fapolicyd Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_fapolicyd_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_fapolicyd_installed:def:1 |
| Time | 2025-09-21T20:26:51-05:00 |
| Severity | medium |
| Identifiers: | CCE-84224-5 |
| References: | | nist | CM-6(a), SI-4(22) | | ospp | FMT_SMF_EXT.1 | | os-srg | SRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00230 | | stigid | RHEL-09-433010 | | stigref | SV-258089r1045179_rule |
|
| Description | The fapolicyd package can be installed with the following command:
$ sudo dnf install fapolicyd
|
| Rationale | fapolicyd (File Access Policy Daemon)
implements application whitelisting to decide file access rights.
|
|
|
|
|
|
|
|
OVAL test results detailspackage fapolicyd is installed
oval:ssg-test_package_fapolicyd_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_fapolicyd_installed:obj:1 of type
rpminfo_object
Enable the File Access Policy Servicexccdf_org.ssgproject.content_rule_service_fapolicyd_enabled mediumCCE-84227-8
Enable the File Access Policy Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_fapolicyd_enabled:def:1 |
| Time | 2025-09-21T20:26:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-84227-8 |
| References: | | nist | CM-6(a), SI-4(22) | | ospp | FMT_SMF_EXT.1 | | os-srg | SRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00230 | | stigid | RHEL-09-433015 | | stigref | SV-258090r958808_rule |
|
| Description | The File Access Policy service should be enabled.
The fapolicyd service can be enabled with the following command:
$ sudo systemctl enable fapolicyd.service
|
| Rationale | The fapolicyd service (File Access Policy Daemon)
implements application whitelisting to decide file access rights. |
|
|
|
|
|
OVAL test results detailspackage fapolicyd is installed
oval:ssg-test_service_fapolicyd_package_fapolicyd_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_service_fapolicyd_package_fapolicyd_installed:obj:1 of type
rpminfo_object
Test that the fapolicyd service is running
oval:ssg-test_service_running_fapolicyd:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_running_fapolicyd:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^fapolicyd\.(socket|service)$ | ActiveState |
systemd test
oval:ssg-test_multi_user_wants_fapolicyd:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| false | multi-user.target | basic.target | -.mount | sysinit.target | iscsi-starter.service | systemd-network-generator.service | ldconfig.service | proc-sys-fs-binfmt_misc.automount | dracut-shutdown.service | sys-kernel-tracing.mount | sys-kernel-debug.mount | veritysetup.target | dev-hugepages.mount | systemd-pcrphase-sysinit.service | systemd-boot-update.service | lvm2-monitor.service | integritysetup.target | plymouth-read-write.service | systemd-firstboot.service | multipathd.service | systemd-pcrphase.service | sys-fs-fuse-connections.mount | systemd-journal-catalog-update.service | systemd-binfmt.service | systemd-pstore.service | sys-kernel-config.mount | systemd-machine-id-commit.service | local-fs.target | boot-efi.mount | boot.mount | opt-share.mount | ostree-remount.service | systemd-remount-fs.service | systemd-hwdb-update.service | systemd-update-utmp.service | kmod-static-nodes.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | plymouth-start.service | systemd-journald.service | systemd-random-seed.service | swap.target | dev-mapper-rhel_desktop\x2d\x2drncu7uo\x2dswap.swap | selinux-autorelabel-mark.service | systemd-udevd.service | iscsi-onboot.service | systemd-pcrmachine.service | nis-domainname.service | systemd-sysctl.service | lvm2-lvmpolld.socket | systemd-ask-password-console.path | systemd-sysusers.service | systemd-modules-load.service | systemd-update-done.service | systemd-repart.service | systemd-udev-trigger.service | dev-mqueue.mount | cryptsetup.target | systemd-journal-flush.service | systemd-boot-random-seed.service | slices.target | -.slice | system.slice | low-memory-monitor.service | timers.target | logrotate.timer | systemd-tmpfiles-clean.timer | unbound-anchor.timer | mlocate-updatedb.timer | dnf-makecache.timer | paths.target | microcode.service | sockets.target | dm-event.socket | iscsid.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | systemd-udevd-kernel.socket | systemd-coredump.socket | systemd-journald.socket | systemd-initctl.socket | multipathd.socket | iscsiuio.socket | cups.socket | systemd-journald-dev-log.socket | avahi-daemon.socket | NetworkManager.service | insights-client-boot.service | tuned.service | mcelog.service | systemd-ask-password-wall.path | ModemManager.service | rsyslog.service | ostree-readonly-sysroot-migration.service | firewalld.service | systemd-user-sessions.service | sshd.service | vmtoolsd.service | systemd-logind.service | run-vmblock\x2dfuse.mount | sssd.service | atd.service | nessusd.service | libstoragemgmt.service | irqbalance.service | getty.target | getty@tty1.service | plymouth-quit.service | cups.path | kdump.service | rhsmcertd.service | crond.service | chronyd.service | mdmonitor.service | auditd.service | smartd.service | cups.service | avahi-daemon.service | remote-fs.target | systemd-update-utmp-runlevel.service | plymouth-quit-wait.service |
systemd test
oval:ssg-test_multi_user_wants_fapolicyd_socket:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| false | multi-user.target | basic.target | -.mount | sysinit.target | iscsi-starter.service | systemd-network-generator.service | ldconfig.service | proc-sys-fs-binfmt_misc.automount | dracut-shutdown.service | sys-kernel-tracing.mount | sys-kernel-debug.mount | veritysetup.target | dev-hugepages.mount | systemd-pcrphase-sysinit.service | systemd-boot-update.service | lvm2-monitor.service | integritysetup.target | plymouth-read-write.service | systemd-firstboot.service | multipathd.service | systemd-pcrphase.service | sys-fs-fuse-connections.mount | systemd-journal-catalog-update.service | systemd-binfmt.service | systemd-pstore.service | sys-kernel-config.mount | systemd-machine-id-commit.service | local-fs.target | boot-efi.mount | boot.mount | opt-share.mount | ostree-remount.service | systemd-remount-fs.service | systemd-hwdb-update.service | systemd-update-utmp.service | kmod-static-nodes.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | plymouth-start.service | systemd-journald.service | systemd-random-seed.service | swap.target | dev-mapper-rhel_desktop\x2d\x2drncu7uo\x2dswap.swap | selinux-autorelabel-mark.service | systemd-udevd.service | iscsi-onboot.service | systemd-pcrmachine.service | nis-domainname.service | systemd-sysctl.service | lvm2-lvmpolld.socket | systemd-ask-password-console.path | systemd-sysusers.service | systemd-modules-load.service | systemd-update-done.service | systemd-repart.service | systemd-udev-trigger.service | dev-mqueue.mount | cryptsetup.target | systemd-journal-flush.service | systemd-boot-random-seed.service | slices.target | -.slice | system.slice | low-memory-monitor.service | timers.target | logrotate.timer | systemd-tmpfiles-clean.timer | unbound-anchor.timer | mlocate-updatedb.timer | dnf-makecache.timer | paths.target | microcode.service | sockets.target | dm-event.socket | iscsid.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | systemd-udevd-kernel.socket | systemd-coredump.socket | systemd-journald.socket | systemd-initctl.socket | multipathd.socket | iscsiuio.socket | cups.socket | systemd-journald-dev-log.socket | avahi-daemon.socket | NetworkManager.service | insights-client-boot.service | tuned.service | mcelog.service | systemd-ask-password-wall.path | ModemManager.service | rsyslog.service | ostree-readonly-sysroot-migration.service | firewalld.service | systemd-user-sessions.service | sshd.service | vmtoolsd.service | systemd-logind.service | run-vmblock\x2dfuse.mount | sssd.service | atd.service | nessusd.service | libstoragemgmt.service | irqbalance.service | getty.target | getty@tty1.service | plymouth-quit.service | cups.path | kdump.service | rhsmcertd.service | crond.service | chronyd.service | mdmonitor.service | auditd.service | smartd.service | cups.service | avahi-daemon.service | remote-fs.target | systemd-update-utmp-runlevel.service | plymouth-quit-wait.service |
Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs.xccdf_org.ssgproject.content_rule_fapolicy_default_deny mediumCCE-86479-3
Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs.
| Rule ID | xccdf_org.ssgproject.content_rule_fapolicy_default_deny |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-fapolicy_default_deny:def:1 |
| Time | 2025-09-21T20:26:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-86479-3 |
| References: | | nist | CM-7 (2), CM-7 (5) (b), CM-6 b | | os-srg | SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155, SRG-OS-000480-GPOS-00232 | | stigid | RHEL-09-433016 | | stigref | SV-270180r1045182_rule |
|
| Description | The Fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and to prevent unauthorized software from running. |
| Rationale | Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software.
Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup.
Proceed with caution with enforcing the use of this daemon.
Improper configuration may render the system non-functional.
The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. |
|
|
OVAL test results detailsfapolicyd employs a deny-all policy in compiled.rules file
oval:ssg-test_fapolicy_default_deny_policy_with_rulesd:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_fapolicy_default_deny_policy_compiled_rules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/fapolicyd/compiled.rules | ^\s*deny\s*perm=any\s*all\s*:\s*all\s*\z | 1 |
fapolicyd employs a deny-all policy in fapolicyd.rules file
oval:ssg-test_fapolicy_default_deny_policy_without_rulesd:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_fapolicy_default_deny_policy_fapolicyd_rules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/fapolicyd/fapolicyd.rules | ^\s*deny\s*perm=any\s*all\s*:\s*all\s*\z | 1 |
permissive mode is disabled in fapolicyd settings
oval:ssg-test_fapolicy_default_deny_enforcement:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_fapolicy_default_deny_permissive_mode:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/fapolicyd/fapolicyd.conf | ^\s*permissive\s*=\s*(\d+) | 1 |
Uninstall vsftpd Packagexccdf_org.ssgproject.content_rule_package_vsftpd_removed highCCE-84159-3
Uninstall vsftpd Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_vsftpd_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_vsftpd_removed:def:1 |
| Time | 2025-09-21T20:26:53-05:00 |
| Severity | high |
| Identifiers: | CCE-84159-3 |
| References: | | cis-csc | 11, 14, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), IA-5(1).1(v), CM-7, CM-7.1(ii) | | nist-csf | PR.IP-1, PR.PT-3 | | os-srg | SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227 | | ccn | A.8.SEC-RHEL4 | | cis | 2.1.7 | | stigid | RHEL-09-215015 | | stigref | SV-257826r1044890_rule |
|
| Description | The vsftpd package can be removed with the following command: $ sudo dnf remove vsftpd
|
| Rationale | Removing the vsftpd package decreases the risk of its
accidental activation. |
OVAL test results detailspackage vsftpd is removed
oval:ssg-test_package_vsftpd_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_vsftpd_removed:obj:1 of type
rpminfo_object
Configure System to Forward All Mail For The Root Accountxccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias mediumCCE-90826-9
Configure System to Forward All Mail For The Root Account
| Rule ID | xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-postfix_client_configure_mail_alias:def:1 |
| Time | 2025-09-21T20:26:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-90826-9 |
| References: | |
| Description | Make sure that mails delivered to root user are forwarded to a monitored
email address. Make sure that the address
change_me@localhost is a valid email address
reachable from the system in question. Use the following command to
configure the alias:
$ sudo echo "root: change_me@localhost" >> /etc/aliases
$ sudo newaliases
|
| Rationale | A number of system services utilize email messages sent to the root user to
notify system administrators of active or impending issues. These messages must
be forwarded to at least one monitored email address. |
|
|
OVAL test results detailsCheck if root has the correct mail alias.
oval:ssg-test_postfix_client_configure_mail_alias:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_root_mail_alias:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/aliases | ^(?:[rR][oO][oO][tT]|"[rR][oO][oO][tT]")\s*:\s*(.+)$ | 1 |
Configure System to Forward All Mail From Postmaster to The Root Accountxccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias_postmaster mediumCCE-89064-0
Configure System to Forward All Mail From Postmaster to The Root Account
| Rule ID | xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias_postmaster |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-postfix_client_configure_mail_alias_postmaster:def:1 |
| Time | 2025-09-21T20:26:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-89064-0 |
| References: | |
| Description | Verify the administrators are notified in the event of an audit processing failure.
Check that the "/etc/aliases" file has a defined value for "root".
$ sudo grep "postmaster:\s*root$" /etc/aliases
postmaster: root
|
| Rationale | It is critical for the appropriate personnel to be aware if a system is at risk of failing to
process audit logs as required. Without this notification, the security personnel may be
unaware of an impending failure of the audit capability, and system operation may be adversely
affected.
Audit processing failures include software/hardware errors, failures in the audit capturing
mechanisms, and audit storage capacity being reached or exceeded. |
OVAL test results detailsCheck if postmaster has the correct mail alias
oval:ssg-test_postfix_client_configure_mail_alias_postmaster:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/aliases | postmaster: root |
Prevent Unrestricted Mail Relayingxccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay mediumCCE-87232-5
Prevent Unrestricted Mail Relaying
| Rule ID | xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:26:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-87232-5 |
| References: | |
| Description | Modify the /etc/postfix/main.cf file to restrict client connections
to the local network with the following command:
$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'
|
| Rationale | If unrestricted mail relaying is permitted, unauthorized senders could use this
host as a mail relay for the purpose of sending spam or other unauthorized
activity. |
The Postfix package is installedxccdf_org.ssgproject.content_rule_package_postfix_installed mediumCCE-85984-3
The Postfix package is installed
| Rule ID | xccdf_org.ssgproject.content_rule_package_postfix_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_postfix_installed:def:1 |
| Time | 2025-09-21T20:26:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-85984-3 |
| References: | |
| Description | A mail server is required for sending emails.
The postfix package can be installed with the following command:
$ sudo dnf install postfix
|
| Rationale | Emails can be used to notify designated personnel about important
system events such as failures or warnings. |
|
|
|
|
|
|
|
OVAL test results detailspackage postfix is installed
oval:ssg-test_package_postfix_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_postfix_installed:obj:1 of type
rpminfo_object
The s-nail Package Is Installedxccdf_org.ssgproject.content_rule_package_s-nail_installed mediumCCE-86608-7
The s-nail Package Is Installed
| Rule ID | xccdf_org.ssgproject.content_rule_package_s-nail_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_s-nail_installed:def:1 |
| Time | 2025-09-21T20:26:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-86608-7 |
| References: | |
| Description | A mail server is required for sending emails.
The s-nail package can be installed with the following command:
$ sudo dnf install s-nail
|
| Rationale | Emails can be used to notify designated personnel about important
system events such as failures or warnings. |
|
|
|
|
|
|
|
OVAL test results detailspackage s-nail is installed
oval:ssg-test_package_s-nail_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_s-nail_installed:obj:1 of type
rpminfo_object
Uninstall Sendmail Packagexccdf_org.ssgproject.content_rule_package_sendmail_removed mediumCCE-90830-1
Uninstall Sendmail Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_sendmail_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_sendmail_removed:def:1 |
| Time | 2025-09-21T20:26:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-90830-1 |
| References: | | cis-csc | 11, 14, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.IP-1, PR.PT-3 | | os-srg | SRG-OS-000480-GPOS-00227, SRG-OS-000095-GPOS-00049 | | anssi | R62 | | stigid | RHEL-09-215020 | | stigref | SV-257827r1044892_rule |
|
| Description | Sendmail is not the default mail transfer agent and is
not installed by default.
The sendmail package can be removed with the following command:
$ sudo dnf remove sendmail
|
| Rationale | The sendmail software was not developed with security in mind and
its design prevents it from being effectively contained by SELinux. Postfix
should be used instead. |
OVAL test results detailspackage sendmail is removed
oval:ssg-test_package_sendmail_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_sendmail_removed:obj:1 of type
rpminfo_object
Mount Remote Filesystems with nodevxccdf_org.ssgproject.content_rule_mount_option_nodev_remote_filesystems mediumCCE-90838-4
Mount Remote Filesystems with nodev
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nodev_remote_filesystems |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:26:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-90838-4 |
| References: | | cis-csc | 11, 13, 14, 3, 8, 9 | | cobit5 | APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2 | | nist | CM-6(a), MP-2 | | nist-csf | PR.IP-1, PR.PT-2, PR.PT-3 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-231065 | | stigref | SV-257854r1044934_rule |
|
| Description | Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts. |
| Rationale | Legitimate device files should only exist in the /dev directory. NFS mounts
should not present device files to users. |
Mount Remote Filesystems with noexecxccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems mediumCCE-84246-8
Mount Remote Filesystems with noexec
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:26:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-84246-8 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | AC-6, AC-6(8), AC-6(10), CM-6(a) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-231070 | | stigref | SV-257855r1044936_rule |
|
| Description | Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts. |
| Rationale | The noexec mount option causes the system not to execute binary files. This option must be used
for mounting any file system not containing approved binary files as they may be incompatible. Executing
files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized
administrative access. |
Mount Remote Filesystems with nosuidxccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems mediumCCE-84247-6
Mount Remote Filesystems with nosuid
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:26:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-84247-6 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | AC-6, AC-6(1), CM6(a) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-231075 | | stigref | SV-257856r1044938_rule |
|
| Description | Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts. |
| Rationale | NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables
should be installed to their default location on the local filesystem. |
The Chrony package is installedxccdf_org.ssgproject.content_rule_package_chrony_installed mediumCCE-84215-3
The Chrony package is installed
| Rule ID | xccdf_org.ssgproject.content_rule_package_chrony_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_chrony_installed:def:1 |
| Time | 2025-09-21T20:26:53-05:00 |
| Severity | medium |
| Identifiers: | CCE-84215-3 |
| References: | |
| Description | System time should be synchronized between all systems in an environment. This is
typically done by establishing an authoritative time server or set of servers and having all
systems synchronize their clocks to them.
The chrony package can be installed with the following command:
$ sudo dnf install chrony
|
| Rationale | Time synchronization is important to support time sensitive security mechanisms like
Kerberos and also ensures log files have consistent time records across the enterprise,
which aids in forensic investigations. |
OVAL test results detailspackage chrony is installed
oval:ssg-test_package_chrony_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | chrony | x86_64 | (none) | 1.el9 | 4.6.1 | 0:4.6.1-1.el9 | 199e2f91fd431d51 | chrony-0:4.6.1-1.el9.x86_64 |
The Chronyd service is enabledxccdf_org.ssgproject.content_rule_service_chronyd_enabled mediumCCE-84217-9
The Chronyd service is enabled
| Rule ID | xccdf_org.ssgproject.content_rule_service_chronyd_enabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_chronyd_enabled:def:1 |
| Time | 2025-09-21T20:26:55-05:00 |
| Severity | medium |
| Identifiers: | CCE-84217-9 |
| References: | |
| Description | chrony is a daemon which implements the Network Time Protocol (NTP) is designed to
synchronize system clocks across a variety of systems and use a source that is highly
accurate. More information on chrony can be found at
https://chrony-project.org/.
Chrony can be configured to be a client and/or a server.
To enable Chronyd service, you can run:
# systemctl enable chronyd.service
This recommendation only applies if chrony is in use on the system. |
| Rationale | If chrony is in use on the system proper configuration is vital to ensuring time
synchronization is working properly. |
OVAL test results detailspackage chrony is installed
oval:ssg-test_service_chronyd_package_chrony_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | chrony | x86_64 | (none) | 1.el9 | 4.6.1 | 0:4.6.1-1.el9 | 199e2f91fd431d51 | chrony-0:4.6.1-1.el9.x86_64 |
Test that the chronyd service is running
oval:ssg-test_service_running_chronyd:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Unit | Property | Value |
|---|
| true | chronyd.service | ActiveState | active |
systemd test
oval:ssg-test_multi_user_wants_chronyd:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| true | multi-user.target | basic.target | -.mount | sysinit.target | iscsi-starter.service | systemd-network-generator.service | ldconfig.service | proc-sys-fs-binfmt_misc.automount | dracut-shutdown.service | sys-kernel-tracing.mount | sys-kernel-debug.mount | veritysetup.target | dev-hugepages.mount | systemd-pcrphase-sysinit.service | systemd-boot-update.service | lvm2-monitor.service | integritysetup.target | plymouth-read-write.service | systemd-firstboot.service | multipathd.service | systemd-pcrphase.service | sys-fs-fuse-connections.mount | systemd-journal-catalog-update.service | systemd-binfmt.service | systemd-pstore.service | sys-kernel-config.mount | systemd-machine-id-commit.service | local-fs.target | boot-efi.mount | boot.mount | opt-share.mount | ostree-remount.service | systemd-remount-fs.service | systemd-hwdb-update.service | systemd-update-utmp.service | kmod-static-nodes.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | plymouth-start.service | systemd-journald.service | systemd-random-seed.service | swap.target | dev-mapper-rhel_desktop\x2d\x2drncu7uo\x2dswap.swap | selinux-autorelabel-mark.service | systemd-udevd.service | iscsi-onboot.service | systemd-pcrmachine.service | nis-domainname.service | systemd-sysctl.service | lvm2-lvmpolld.socket | systemd-ask-password-console.path | systemd-sysusers.service | systemd-modules-load.service | systemd-update-done.service | systemd-repart.service | systemd-udev-trigger.service | dev-mqueue.mount | cryptsetup.target | systemd-journal-flush.service | systemd-boot-random-seed.service | slices.target | -.slice | system.slice | low-memory-monitor.service | timers.target | logrotate.timer | systemd-tmpfiles-clean.timer | unbound-anchor.timer | mlocate-updatedb.timer | dnf-makecache.timer | paths.target | microcode.service | sockets.target | dm-event.socket | iscsid.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | systemd-udevd-kernel.socket | systemd-coredump.socket | systemd-journald.socket | systemd-initctl.socket | multipathd.socket | iscsiuio.socket | cups.socket | systemd-journald-dev-log.socket | avahi-daemon.socket | NetworkManager.service | insights-client-boot.service | tuned.service | mcelog.service | systemd-ask-password-wall.path | ModemManager.service | rsyslog.service | ostree-readonly-sysroot-migration.service | firewalld.service | systemd-user-sessions.service | sshd.service | vmtoolsd.service | systemd-logind.service | run-vmblock\x2dfuse.mount | sssd.service | atd.service | nessusd.service | libstoragemgmt.service | irqbalance.service | getty.target | getty@tty1.service | plymouth-quit.service | cups.path | kdump.service | rhsmcertd.service | crond.service | chronyd.service | mdmonitor.service | auditd.service | smartd.service | cups.service | avahi-daemon.service | remote-fs.target | systemd-update-utmp-runlevel.service | plymouth-quit-wait.service |
systemd test
oval:ssg-test_multi_user_wants_chronyd_socket:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| false | multi-user.target | basic.target | -.mount | sysinit.target | iscsi-starter.service | systemd-network-generator.service | ldconfig.service | proc-sys-fs-binfmt_misc.automount | dracut-shutdown.service | sys-kernel-tracing.mount | sys-kernel-debug.mount | veritysetup.target | dev-hugepages.mount | systemd-pcrphase-sysinit.service | systemd-boot-update.service | lvm2-monitor.service | integritysetup.target | plymouth-read-write.service | systemd-firstboot.service | multipathd.service | systemd-pcrphase.service | sys-fs-fuse-connections.mount | systemd-journal-catalog-update.service | systemd-binfmt.service | systemd-pstore.service | sys-kernel-config.mount | systemd-machine-id-commit.service | local-fs.target | boot-efi.mount | boot.mount | opt-share.mount | ostree-remount.service | systemd-remount-fs.service | systemd-hwdb-update.service | systemd-update-utmp.service | kmod-static-nodes.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | plymouth-start.service | systemd-journald.service | systemd-random-seed.service | swap.target | dev-mapper-rhel_desktop\x2d\x2drncu7uo\x2dswap.swap | selinux-autorelabel-mark.service | systemd-udevd.service | iscsi-onboot.service | systemd-pcrmachine.service | nis-domainname.service | systemd-sysctl.service | lvm2-lvmpolld.socket | systemd-ask-password-console.path | systemd-sysusers.service | systemd-modules-load.service | systemd-update-done.service | systemd-repart.service | systemd-udev-trigger.service | dev-mqueue.mount | cryptsetup.target | systemd-journal-flush.service | systemd-boot-random-seed.service | slices.target | -.slice | system.slice | low-memory-monitor.service | timers.target | logrotate.timer | systemd-tmpfiles-clean.timer | unbound-anchor.timer | mlocate-updatedb.timer | dnf-makecache.timer | paths.target | microcode.service | sockets.target | dm-event.socket | iscsid.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | systemd-udevd-kernel.socket | systemd-coredump.socket | systemd-journald.socket | systemd-initctl.socket | multipathd.socket | iscsiuio.socket | cups.socket | systemd-journald-dev-log.socket | avahi-daemon.socket | NetworkManager.service | insights-client-boot.service | tuned.service | mcelog.service | systemd-ask-password-wall.path | ModemManager.service | rsyslog.service | ostree-readonly-sysroot-migration.service | firewalld.service | systemd-user-sessions.service | sshd.service | vmtoolsd.service | systemd-logind.service | run-vmblock\x2dfuse.mount | sssd.service | atd.service | nessusd.service | libstoragemgmt.service | irqbalance.service | getty.target | getty@tty1.service | plymouth-quit.service | cups.path | kdump.service | rhsmcertd.service | crond.service | chronyd.service | mdmonitor.service | auditd.service | smartd.service | cups.service | avahi-daemon.service | remote-fs.target | systemd-update-utmp-runlevel.service | plymouth-quit-wait.service |
A remote time server for Chrony is configuredxccdf_org.ssgproject.content_rule_chronyd_specify_remote_server mediumCCE-84218-7
A remote time server for Chrony is configured
| Rule ID | xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-chronyd_specify_remote_server:def:1 |
| Time | 2025-09-21T20:26:55-05:00 |
| Severity | medium |
| Identifiers: | CCE-84218-7 |
| References: | |
| Description | Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed
to synchronize system clocks across a variety of systems and use a source that is highly
accurate. More information on chrony can be found at
https://chrony-project.org/.
Chrony can be configured to be a client and/or a server.
Add or edit server or pool lines to /etc/chrony.conf as appropriate:
server <remote-server>
Multiple servers may be configured. |
| Rationale | If chrony is in use on the system proper configuration is vital to ensuring time
synchronization is working properly. |
OVAL test results detailsEnsure at least one NTP server is set
oval:ssg-test_chronyd_remote_server:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/chrony.conf | pool 2.rhel.pool.ntp.org iburst |
Disable chrony daemon from acting as serverxccdf_org.ssgproject.content_rule_chronyd_client_only lowCCE-87543-5
Disable chrony daemon from acting as server
| Rule ID | xccdf_org.ssgproject.content_rule_chronyd_client_only |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-chronyd_client_only:def:1 |
| Time | 2025-09-21T20:26:55-05:00 |
| Severity | low |
| Identifiers: | CCE-87543-5 |
| References: | | nist | AU-8(1), AU-12(1) | | ospp | FMT_SMF_EXT.1 | | os-srg | SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049 | | stigid | RHEL-09-252025 | | stigref | SV-257946r958480_rule |
|
| Description | The port option in /etc/chrony.conf can be set to
0 to make chrony daemon to never open any listening port
for server operation and to operate strictly in a client-only mode. |
| Rationale | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.
To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. |
|
|
|
OVAL test results detailscheck if port is 0 in /etc/chrony.conf
oval:ssg-test_chronyd_client_only:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_chronyd_port_value:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/chrony.conf | ^\s*port[\s]+(\S+) | 1 |
Disable network management of chrony daemonxccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network lowCCE-88876-8
Disable network management of chrony daemon
| Rule ID | xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-chronyd_no_chronyc_network:def:1 |
| Time | 2025-09-21T20:26:55-05:00 |
| Severity | low |
| Identifiers: | CCE-88876-8 |
| References: | | nist | CM-7(1) | | os-srg | SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049 | | stigid | RHEL-09-252030 | | stigref | SV-257947r958480_rule |
|
| Description | The cmdport option in /etc/chrony.conf can be set to
0 to stop chrony daemon from listening on the UDP port 323
for management connections made by chronyc. |
| Rationale | Minimizing the exposure of the server functionality of the chrony
daemon diminishes the attack surface. |
|
|
|
OVAL test results detailscheck if cmdport is 0 in /etc/chrony.conf
oval:ssg-test_chronyd_no_chronyc_network:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_chronyd_cmdport_value:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/chrony.conf | ^\s*cmdport[\s]+(\S+) | 1 |
Configure Time Service Maxpoll Intervalxccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll mediumCCE-88648-1
Configure Time Service Maxpoll Interval
| Rule ID | xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-chronyd_or_ntpd_set_maxpoll:def:1 |
| Time | 2025-09-21T20:26:55-05:00 |
| Severity | medium |
| Identifiers: | CCE-88648-1 |
| References: | | cis-csc | 1, 14, 15, 16, 3, 5, 6 | | cobit5 | APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01 | | isa-62443-2009 | 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1 | | nist | CM-6(a), AU-8(1)(b), AU-12(1) | | nist-csf | PR.PT-1 | | os-srg | SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144, SRG-OS-000359-GPOS-00146 | | stigid | RHEL-09-252020 | | stigref | SV-257945r1038944_rule |
|
| Description | The maxpoll should be configured to
16 in /etc/ntp.conf or
/etc/chrony.conf (or /etc/chrony.d/) to continuously poll time servers. To configure
maxpoll in /etc/ntp.conf or /etc/chrony.conf (or /etc/chrony.d/)
add the following after each server, pool or peer entry:
maxpoll 16
to server directives. If using chrony, any pool directives
should be configured too. |
| Rationale | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). |
|
|
|
OVAL test results detailscheck if maxpoll is set in /etc/ntp.conf
oval:ssg-test_ntp_set_maxpoll:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ntp_set_maxpoll:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ntp.conf | ^server[\s]+[\S]+.*maxpoll[\s]+(\d+) | 1 |
check if all server entries have maxpoll set in /etc/ntp.conf
oval:ssg-test_ntp_all_server_has_maxpoll:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ntp_all_server_has_maxpoll:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ntp.conf | ^server[\s]+[\S]+[\s]+(.*) | 1 |
check if maxpoll is set in /etc/chrony.conf or /etc/chrony.d/
oval:ssg-test_chrony_set_maxpoll:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_chrony_set_maxpoll:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^(/etc/chrony\.conf|/etc/chrony\.d/.+\.conf)$ | ^(?:server|pool|peer)[\s]+[\S]+.*maxpoll[\s]+(\d+) | 1 |
check if all server entries have maxpoll set in /etc/chrony.conf or /etc/chrony.d/
oval:ssg-test_chrony_all_server_has_maxpoll:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/chrony.conf | pool 2.rhel.pool.ntp.org iburst |
Ensure Chrony is only configured with the server directivexccdf_org.ssgproject.content_rule_chronyd_server_directive mediumCCE-87077-4
Ensure Chrony is only configured with the server directive
| Rule ID | xccdf_org.ssgproject.content_rule_chronyd_server_directive |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-chronyd_server_directive:def:1 |
| Time | 2025-09-21T20:26:55-05:00 |
| Severity | medium |
| Identifiers: | CCE-87077-4 |
| References: | | os-srg | SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144, SRG-OS-000359-GPOS-00146 | | stigid | RHEL-09-252020 | | stigref | SV-257945r1038944_rule |
|
| Description | Check that Chrony only has time sources configured with the server directive. |
| Rationale | Depending on the infrastructure being used the pool directive may not be supported.
Using the server directive allows for better control of where the system gets time data from. |
| Warnings | warning
This rule doesn't come with a remediation, the time source needs to be added by the administrator. |
OVAL test results detailsEnsure at least one time source is set with server directive
oval:ssg-test_chronyd_server_directive_with_server:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_chronyd_server_directive:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/chrony\.(conf|d/.+\.conf)$ | ^[\s]*server.*$ | 1 |
Ensure no time source is set with pool directive
oval:ssg-test_chronyd_server_directive_no_pool:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_chronyd_no_pool_directive:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/chrony\.(conf|d/.+\.conf)$ | ^[\s]+pool.*$ | 1 |
Remove Host-Based Authentication Filesxccdf_org.ssgproject.content_rule_no_host_based_files highCCE-90208-0
Remove Host-Based Authentication Files
| Rule ID | xccdf_org.ssgproject.content_rule_no_host_based_files |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_host_based_files:def:1 |
| Time | 2025-09-21T20:27:05-05:00 |
| Severity | high |
| Identifiers: | CCE-90208-0 |
| References: | |
| Description | The shosts.equiv file lists remote hosts and users that are trusted by the local
system. To remove these files, run the following command to delete them from any location:
$ sudo rm /[path]/[to]/[file]/shosts.equiv
|
| Rationale | The shosts.equiv files are used to configure host-based authentication for the system via SSH.
Host-based authentication is not sufficient for preventing unauthorized access to the system,
as it does not require interactive identification and authentication of a connection request,
or for the use of two-factor authentication. |
OVAL test results detailslook for shosts.equiv in /
oval:ssg-test_no_shosts_equiv:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_shosts_equiv_files_root:obj:1 of type
file_object
| Behaviors | Path | Filename |
|---|
| no value | / | shosts.equiv |
Remove User Host-Based Authentication Filesxccdf_org.ssgproject.content_rule_no_user_host_based_files highCCE-86532-9
Remove User Host-Based Authentication Files
| Rule ID | xccdf_org.ssgproject.content_rule_no_user_host_based_files |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_user_host_based_files:def:1 |
| Time | 2025-09-21T20:27:14-05:00 |
| Severity | high |
| Identifiers: | CCE-86532-9 |
| References: | |
| Description | The ~/.shosts (in each user's home directory) files
list remote hosts and users that are trusted by the
local system. To remove these files, run the following command
to delete them from any location:
$ sudo find / -name '.shosts' -type f -delete
|
| Rationale | The .shosts files are used to configure host-based authentication for
individual users or the system via SSH. Host-based authentication is not
sufficient for preventing unauthorized access to the system, as it does not
require interactive identification and authentication of a connection request,
or for the use of two-factor authentication. |
OVAL test results detailslook for .shosts in /
oval:ssg-test_no_shosts:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_shosts_files_root:obj:1 of type
file_object
| Behaviors | Path | Filename |
|---|
| no value | / | .shosts |
Uninstall telnet-server Packagexccdf_org.ssgproject.content_rule_package_telnet-server_removed highCCE-84149-4
Uninstall telnet-server Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_telnet-server_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_telnet-server_removed:def:1 |
| Time | 2025-09-21T20:27:14-05:00 |
| Severity | high |
| Identifiers: | CCE-84149-4 |
| References: | | cis-csc | 11, 12, 14, 15, 3, 8, 9 | | cobit5 | APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06 | | hipaa | 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4 | | pcidss | Req-2.2.2 | | os-srg | SRG-OS-000095-GPOS-00049 | | anssi | R62 | | ccn | A.8.SEC-RHEL4 | | cis | 2.1.15 | | pcidss4 | 2.2.4, 2.2 | | stigid | RHEL-09-215040 | | stigref | SV-257831r1044898_rule |
|
| Description | The telnet-server package can be removed with the following command:
$ sudo dnf remove telnet-server
|
| Rationale | It is detrimental for operating systems to provide, or install by default,
functionality exceeding requirements or mission objectives. These
unnecessary capabilities are often overlooked and therefore may remain
unsecure. They increase the risk to the platform by providing additional
attack vectors.
The telnet service provides an unencrypted remote access service which does
not provide for the confidentiality and integrity of user passwords or the
remote session. If a privileged user were to login using this service, the
privileged user password could be compromised.
Removing the telnet-server package decreases the risk of the
telnet service's accidental (or intentional) activation. |
OVAL test results detailspackage telnet-server is removed
oval:ssg-test_package_telnet-server_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_telnet-server_removed:obj:1 of type
rpminfo_object
Uninstall tftp-server Packagexccdf_org.ssgproject.content_rule_package_tftp-server_removed highCCE-84154-4
Uninstall tftp-server Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_tftp-server_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_tftp-server_removed:def:1 |
| Time | 2025-09-21T20:27:14-05:00 |
| Severity | high |
| Identifiers: | CCE-84154-4 |
| References: | | cis-csc | 11, 12, 14, 15, 3, 8, 9 | | cobit5 | APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06 | | isa-62443-2009 | 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2 | | nist | CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R62 | | ccn | A.8.SEC-RHEL4 | | cis | 2.1.16 | | pcidss4 | 2.2.4, 2.2 | | stigid | RHEL-09-215060 | | stigref | SV-257835r1069368_rule |
|
| Description | The tftp-server package can be removed with the following command: $ sudo dnf remove tftp-server
|
| Rationale | Removing the tftp-server package decreases the risk of the accidental
(or intentional) activation of tftp services.
If TFTP is required for operational support (such as transmission of router
configurations), its use must be documented with the Information Systems
Securty Manager (ISSM), restricted to only authorized personnel, and have
access control rules established. |
OVAL test results detailspackage tftp-server is removed
oval:ssg-test_package_tftp-server_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_tftp-server_removed:obj:1 of type
rpminfo_object
Verify the SSH Private Key Files Have a Passcodexccdf_org.ssgproject.content_rule_ssh_keys_passphrase_protected mediumCCE-86553-5
Verify the SSH Private Key Files Have a Passcode
| Rule ID | xccdf_org.ssgproject.content_rule_ssh_keys_passphrase_protected |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-86553-5 |
| References: | |
| Description | When creating SSH key pairs, always use a passcode.
You can create such keys with the following command:
$ sudo ssh-keygen -n [passphrase]
Red Hat Enterprise Linux 9, for certificate-based authentication, must enforce authorized access to the corresponding private key. |
| Rationale | If an unauthorized user obtains access to a private key without a passcode,
that user would have unauthorized access to any system where the associated
public key has been installed. |
Evaluation messagesinfo
No candidate or applicable check found. |
SSHD Must Include System Crypto Policy Config Filexccdf_org.ssgproject.content_rule_sshd_include_crypto_policy mediumCCE-90566-1
SSHD Must Include System Crypto Policy Config File
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_include_crypto_policy |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_include_crypto_policy:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-90566-1 |
| References: | | nist | AC-17 (2) | | os-srg | SRG-OS-000250-GPOS-00093 | | stigid | RHEL-09-255055, RHEL-09-255060 | | stigref | SV-257987r1014852_rule, SV-257988r1051234_rule |
|
| Description | SSHD should follow the system cryptographic policy.
In order to accomplish this the SSHD configuration should include the configuration file provided by the system crypto policy.
The following line should be present in /etc/ssh/sshd_config or in a file included by this file (a file within the /etc/ssh/sshd_config.d directory):
Include /etc/crypto-policies/back-ends/opensshserver.config
|
| Rationale | Without cryptographic integrity protections, information can be altered by unauthorized users without detection. |
| Warnings | warning
There is no automated remediation because recommended action could severely disrupt the system and might not be efficient in fixing the problem. |
OVAL test results detailsEnsure that drop in config files are included
oval:ssg-test_sshd_include_crypto_policy_include_sshd_drop_in:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/ssh/sshd_config | Include /etc/ssh/sshd_config.d/*.conf |
Ensure that drop in config files are included
oval:ssg-test_sshd_include_crypto_policy_include_sshd_include_system_crypto:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/ssh/sshd_config.d/50-redhat.conf | Include /etc/crypto-policies/back-ends/opensshserver.config |
Set SSH Client Alive Count Maxxccdf_org.ssgproject.content_rule_sshd_set_keepalive mediumCCE-90805-3
Set SSH Client Alive Count Max
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_keepalive |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_set_keepalive:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-90805-3 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8 | | cjis | 5.5.6 | | cobit5 | APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10 | | cui | 3.1.11 | | hipaa | 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3 | | nist | AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2 | | pcidss | Req-8.1.8 | | os-srg | SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109 | | ccn | A.5.SEC-RHEL7 | | cis | 5.1.9 | | pcidss4 | 8.2.8, 8.2 | | stigid | RHEL-09-255095 | | stigref | SV-257995r1045053_rule |
|
| Description | The SSH server sends at most ClientAliveCountMax messages
during a SSH session and waits for a response from the SSH client.
The option ClientAliveInterval configures timeout after
each ClientAliveCountMax message. If the SSH server does not
receive a response from the client, then the connection is considered unresponsive
and terminated.
For SSH earlier than v8.2, a ClientAliveCountMax value of 0
causes a timeout precisely when the ClientAliveInterval is set.
Starting with v8.2, a value of 0 disables the timeout functionality
completely. If the option is set to a number greater than 0, then
the session will be disconnected after
ClientAliveInterval * ClientAliveCountMax seconds without receiving
a keep alive message. |
| Rationale | This ensures a user login will be terminated as soon as the ClientAliveInterval
is reached. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
tests the value of ClientAliveCountMax setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_set_keepalive:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_set_keepalive:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)ClientAliveCountMax(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of ClientAliveCountMax setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_set_keepalive_config_dir:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_set_keepalive_config_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/ssh/sshd_config.d | .*\.conf$ | ^[ \t]*(?i)ClientAliveCountMax(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of ClientAliveCountMax is present
oval:ssg-test_ClientAliveCountMax_present_sshd_set_keepalive:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_set_keepalive:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-obj_sshd_set_keepalive:obj:1
oval:ssg-obj_sshd_set_keepalive_config_dir:obj:1
|
Set SSH Client Alive Intervalxccdf_org.ssgproject.content_rule_sshd_set_idle_timeout mediumCCE-90811-1
Set SSH Client Alive Interval
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_set_idle_timeout:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-90811-1 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8 | | cjis | 5.5.6 | | cobit5 | APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10 | | cui | 3.1.11 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3 | | nist | CM-6(a), AC-17(a), AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2 | | pcidss | Req-8.1.8 | | os-srg | SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000395-GPOS-00175 | | ccn | A.5.SEC-RHEL7 | | cis | 5.1.9 | | pcidss4 | 8.2.8, 8.2 | | stigid | RHEL-09-255100 | | stigref | SV-257996r1045055_rule |
|
| Description | SSH allows administrators to set a network responsiveness timeout interval.
After this interval has passed, the unresponsive client will be automatically logged out.
To set this timeout interval, edit the following line in /etc/ssh/sshd_config as
follows:
ClientAliveInterval 600
The timeout interval is given in seconds. For example, have a timeout
of 10 minutes, set interval to 600.
If a shorter timeout has already been set for the login shell, that value will
preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that
some processes may stop SSH from correctly detecting that the user is idle. |
| Rationale | Terminating an idle ssh session within a short time period reduces the window of
opportunity for unauthorized personnel to take control of a management session
enabled on the console or console port that has been let unattended. |
| Warnings | warning
SSH disconnecting unresponsive clients will not have desired effect without also
configuring ClientAliveCountMax in the SSH service configuration. warning
Following conditions may prevent the SSH session to time out:
- Remote processes on the remote machine generates output. As the output has to be transferred over the network to the client, the timeout is reset every time such transfer happens.
- Any
scp or sftp activity by the same user to the host resets the timeout.
|
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
timeout is configured
oval:ssg-test_sshd_idle_timeout:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_sshd_idle_timeout:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$ | 1 |
timeout is configured in config directory
oval:ssg-test_sshd_idle_timeout_config_dir:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_sshd_idle_timeout_config_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/ssh/sshd_config.d | .*\.conf$ | ^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$ | 1 |
Verify that the value of ClientAliveInterval is present
oval:ssg-test_clientaliveinterval_present:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_set_idle_timeout:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-object_sshd_idle_timeout:obj:1
oval:ssg-object_sshd_idle_timeout_config_dir:obj:1
|
Disable Host-Based Authenticationxccdf_org.ssgproject.content_rule_disable_host_auth mediumCCE-90816-0
Disable Host-Based Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_disable_host_auth |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-disable_host_auth:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-90816-0 |
| References: | | cis-csc | 11, 12, 14, 15, 16, 18, 3, 5, 9 | | cjis | 5.5.6 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06 | | cui | 3.1.12 | | hipaa | 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | ism | 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3 | | nist | AC-3, AC-17(a), CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.AC-4, PR.AC-6, PR.IP-1, PR.PT-3 | | ospp | FIA_UAU.1 | | os-srg | SRG-OS-000480-GPOS-00229 | | cis | 5.1.12 | | pcidss4 | 8.3.1, 8.3 | | stigid | RHEL-09-255080 | | stigref | SV-257992r1045047_rule |
|
| Description | SSH's cryptographic host-based authentication is
more secure than .rhosts authentication. However, it is
not recommended that hosts unilaterally trust one another, even
within an organization.
The default SSH configuration disables host-based authentication. The appropriate
configuration is used if no value is set for HostbasedAuthentication.
To explicitly disable host-based authentication, add or correct the
following line in
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
HostbasedAuthentication no
|
| Rationale | SSH trust relationships mean a compromise on one host
can allow an attacker to move trivially to other hosts. |
|
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
tests the value of HostbasedAuthentication setting in the /etc/ssh/sshd_config file
oval:ssg-test_disable_host_auth:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_disable_host_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)HostbasedAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of HostbasedAuthentication setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_disable_host_auth_config_dir:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_disable_host_auth_config_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/ssh/sshd_config.d | .*\.conf$ | ^[ \t]*(?i)HostbasedAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of HostbasedAuthentication is present
oval:ssg-test_HostbasedAuthentication_present_disable_host_auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_disable_host_auth:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-obj_disable_host_auth:obj:1
oval:ssg-obj_disable_host_auth_config_dir:obj:1
|
Enable SSH Server firewalld Firewall Exceptionxccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled mediumCCE-89175-4
Enable SSH Server firewalld Firewall Exception
| Rule ID | xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-firewalld_sshd_port_enabled:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-89175-4 |
| References: | |
| Description | If the SSH server is in use, inbound connections to SSH's port should be allowed to permit
remote access through SSH. In more restrictive firewalld settings, the SSH port should be
added to the proper firewalld zone in order to allow SSH remote access.
To configure firewalld to allow ssh access, run the following command(s):
firewall-cmd --permanent --add-service=ssh
Then run the following command to load the newly created rule(s):
firewall-cmd --reload
|
| Rationale | If inbound SSH connections are expected, adding the SSH port to the proper firewalld zone
will allow remote access through the SSH port. |
| Warnings | warning
The remediation for this rule uses firewall-cmd and nmcli tools.
Therefore, it will only be executed if firewalld and NetworkManager
services are running. Otherwise, the remediation will be aborted and a informative message
will be shown in the remediation report.
These respective services will not be started in order to preserve any intentional change
in network components related to firewall and network interfaces. warning
This rule also checks if the SSH port was modified by the administrator in the firewalld
services definitions and is reflecting the expected port number. Although this is checked,
fixing the custom ssh.xml file placed by the administrator at /etc/firewalld/services it
is not in the scope of the remediation since there is no reliable way to manually change
the respective file. If the default SSH port is modified, it is on the administrator
responsibility to ensure the firewalld customizations in the service port level are
properly configured. warning
Red Hat Enterprise Linux 9 prefers and recommends to use NetworkManager keyfiles instead of the
ifcfg files stored in /etc/sysconfig/network-scripts. Therefore, if the
system was upgraded from a previous release, make sure the NIC configuration files are
properly migrated from ifcfg format to NetworkManager keyfiles. Otherwise, this
rule won't be able to check the configuration. The migration can be accomplished by
nmcli connection migrate command. |
OVAL test results detailsSSH service is defined in all zones delivered in the firewalld package
oval:ssg-test_firewalld_sshd_port_enabled_zone_ssh_enabled_usr:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Filepath | Path | Filename | Xpath |
|---|
| not evaluated | /usr/lib/firewalld/zones/public.xml | /usr/lib/firewalld/zones | public.xml | /zone/service[@name='ssh'] |
| not evaluated | /usr/lib/firewalld/zones/home.xml | /usr/lib/firewalld/zones | home.xml | /zone/service[@name='ssh'] |
| not evaluated | /usr/lib/firewalld/zones/external.xml | /usr/lib/firewalld/zones | external.xml | /zone/service[@name='ssh'] |
| not evaluated | /usr/lib/firewalld/zones/dmz.xml | /usr/lib/firewalld/zones | dmz.xml | /zone/service[@name='ssh'] |
| not evaluated | /usr/lib/firewalld/zones/internal.xml | /usr/lib/firewalld/zones | internal.xml | /zone/service[@name='ssh'] |
| not evaluated | /usr/lib/firewalld/zones/work.xml | /usr/lib/firewalld/zones | work.xml | /zone/service[@name='ssh'] |
there is no equivalent zone file defined by the administrator in /etc dir
oval:ssg-test_firewalld_sshd_port_enabled_usr_zones_not_overridden:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|
| not evaluated | /etc/firewalld/zones/public.xml | regular | 0 | 0 | 356 | rw-r--r-- |
SSH service is defined in all zones created or modified by the administrator
oval:ssg-test_firewalld_sshd_port_enabled_zone_ssh_enabled_etc:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-var_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count:var:1 | 1 |
SSH service is interger in the /usr/lib/firewalld/services dir
oval:ssg-test_firewalld_sshd_port_enabled_ssh_service_usr:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Filepath | Path | Filename | Xpath |
|---|
| not evaluated | /usr/lib/firewalld/services/ssh.xml | /usr/lib/firewalld/services | ssh.xml | /service/port[@port='22'] |
SSH service is properly configured in /etc/firewalld/services dir
oval:ssg-test_firewalld_sshd_port_enabled_ssh_service_etc:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_firewalld_sshd_port_enabled_ssh_service_file_etc:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/firewalld/services/ssh.xml | <port.*port="(\d+)" | 1 |
Disable Compression Or Set Compression to delayedxccdf_org.ssgproject.content_rule_sshd_disable_compression mediumCCE-90801-2
Disable Compression Or Set Compression to delayed
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_compression |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_compression:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-90801-2 |
| References: | | cis-csc | 11, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05 | | cui | 3.1.12 | | hipaa | 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | isa-62443-2009 | 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4 | | nist | AC-17(a), CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.IP-1 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-255130 | | stigref | SV-258002r991589_rule |
|
| Description | Compression is useful for slow network connections over long
distances but can cause performance issues on local LANs. If use of compression
is required, it should be enabled only after a user has authenticated; otherwise,
it should be disabled. To disable compression or delay compression until after
a user has successfully authenticated, add or correct the following line in the
/etc/ssh/sshd_config file:
Compression no
|
| Rationale | If compression is allowed in an SSH connection prior to authentication,
vulnerabilities in the compression software could result in compromise of the
system from an unauthenticated connection, potentially with root privileges. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
tests the value of Compression setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_compression:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_compression:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)Compression(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of Compression setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_disable_compression_config_dir:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_compression_config_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/ssh/sshd_config.d | .*\.conf$ | ^[ \t]*(?i)Compression(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of Compression is present
oval:ssg-test_Compression_present_sshd_disable_compression:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_disable_compression:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-obj_sshd_disable_compression:obj:1
oval:ssg-obj_sshd_disable_compression_config_dir:obj:1
|
Disable SSH Access via Empty Passwordsxccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords highCCE-90799-8
Disable SSH Access via Empty Passwords
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_empty_passwords:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | high |
| Identifiers: | CCE-90799-8 |
| References: | | cis-csc | 11, 12, 13, 14, 15, 16, 18, 3, 5, 9 | | cjis | 5.5.6 | | cobit5 | APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06 | | cui | 3.1.1, 3.1.5 | | hipaa | 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | AC-17(a), CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3 | | ospp | FIA_UAU.1 | | pcidss | Req-2.2.4 | | os-srg | SRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229, SRG-OS-000480-GPOS-00227 | | cis | 5.1.19 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-255040 | | stigref | SV-257984r1045026_rule |
|
| Description | Disallow SSH login with empty passwords.
The default SSH configuration disables logins with empty passwords. The appropriate
configuration is used if no value is set for PermitEmptyPasswords.
To explicitly disallow SSH login from accounts with empty passwords,
add or correct the following line in
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
PermitEmptyPasswords no
Any accounts with empty passwords should be disabled immediately, and PAM configuration
should prevent users from being able to assign themselves empty passwords. |
| Rationale | Configuring this setting for the SSH daemon provides additional assurance
that remote login via SSH will require a password, even in the event of
misconfiguration elsewhere. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
tests the value of PermitEmptyPasswords setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_empty_passwords:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_empty_passwords:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of PermitEmptyPasswords setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_disable_empty_passwords_config_dir:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_empty_passwords_config_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/ssh/sshd_config.d | .*\.conf$ | ^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of PermitEmptyPasswords is present
oval:ssg-test_PermitEmptyPasswords_present_sshd_disable_empty_passwords:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_disable_empty_passwords:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-obj_sshd_disable_empty_passwords:obj:1
oval:ssg-obj_sshd_disable_empty_passwords_config_dir:obj:1
|
Disable GSSAPI Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth mediumCCE-90808-7
Disable GSSAPI Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_gssapi_auth:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-90808-7 |
| References: | | cis-csc | 11, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05 | | cui | 3.1.12 | | hipaa | 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | isa-62443-2009 | 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 7.6 | | ism | 0418, 1055, 1402 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4 | | nist | CM-7(a), CM-7(b), CM-6(a), AC-17(a) | | nist-csf | PR.IP-1 | | ospp | FTP_ITC_EXT.1, FCS_SSH_EXT.1.2 | | os-srg | SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227 | | cis | 5.1.11 | | stigid | RHEL-09-255135 | | stigref | SV-258003r1045065_rule |
|
| Description | Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like GSSAPI.
The default SSH configuration disallows authentications based on GSSAPI. The appropriate
configuration is used if no value is set for GSSAPIAuthentication.
To explicitly disable GSSAPI authentication, add or correct the following line in
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
GSSAPIAuthentication no
|
| Rationale | GSSAPI authentication is used to provide additional authentication mechanisms to
applications. Allowing GSSAPI authentication through SSH exposes the system's
GSSAPI to remote hosts, increasing the attack surface of the system. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
tests the value of GSSAPIAuthentication setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_gssapi_auth:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_gssapi_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of GSSAPIAuthentication setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_disable_gssapi_auth_config_dir:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/ssh/sshd_config.d/50-redhat.conf | GSSAPIAuthentication yes |
Verify that the value of GSSAPIAuthentication is present
oval:ssg-test_GSSAPIAuthentication_present_sshd_disable_gssapi_auth:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/ssh/sshd_config.d/50-redhat.conf | GSSAPIAuthentication yes |
Disable Kerberos Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth mediumCCE-90802-0
Disable Kerberos Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_kerb_auth:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-90802-0 |
| References: | | cis-csc | 11, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05 | | cui | 3.1.12 | | hipaa | 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | isa-62443-2009 | 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 7.6 | | ism | 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4 | | nist | AC-17(a), CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.IP-1 | | ospp | FTP_ITC_EXT.1, FCS_SSH_EXT.1.2 | | os-srg | SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-255140 | | stigref | SV-258004r1045067_rule |
|
| Description | Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like Kerberos.
The default SSH configuration disallows authentication validation through Kerberos.
The appropriate configuration is used if no value is set for KerberosAuthentication.
To explicitly disable Kerberos authentication, add or correct the following line in
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
KerberosAuthentication no
|
| Rationale | Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos
is enabled through SSH, the SSH daemon provides a means of access to the
system's Kerberos implementation.
Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
tests the value of KerberosAuthentication setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_kerb_auth:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_kerb_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)KerberosAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of KerberosAuthentication setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_disable_kerb_auth_config_dir:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_kerb_auth_config_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/ssh/sshd_config.d | .*\.conf$ | ^[ \t]*(?i)KerberosAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of KerberosAuthentication is present
oval:ssg-test_KerberosAuthentication_present_sshd_disable_kerb_auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_disable_kerb_auth:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-obj_sshd_disable_kerb_auth:obj:1
oval:ssg-obj_sshd_disable_kerb_auth_config_dir:obj:1
|
Disable SSH Support for .rhosts Filesxccdf_org.ssgproject.content_rule_sshd_disable_rhosts mediumCCE-90797-2
Disable SSH Support for .rhosts Files
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_rhosts |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_rhosts:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-90797-2 |
| References: | | cis-csc | 11, 12, 14, 15, 16, 18, 3, 5, 9 | | cjis | 5.5.6 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06 | | cui | 3.1.12 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | AC-17(a), CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.AC-4, PR.AC-6, PR.IP-1, PR.PT-3 | | os-srg | SRG-OS-000480-GPOS-00227 | | cis | 5.1.13 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-255145 | | stigref | SV-258005r1045069_rule |
|
| Description | SSH can emulate the behavior of the obsolete rsh
command in allowing users to enable insecure access to their
accounts via .rhosts files.
The default SSH configuration disables support for .rhosts. The appropriate
configuration is used if no value is set for IgnoreRhosts.
To explicitly disable support for .rhosts files, add or correct the following line in
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
IgnoreRhosts yes
|
| Rationale | SSH trust relationships mean a compromise on one host
can allow an attacker to move trivially to other hosts. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
tests the value of IgnoreRhosts setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_rhosts:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_rhosts:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)IgnoreRhosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of IgnoreRhosts setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_disable_rhosts_config_dir:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_rhosts_config_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/ssh/sshd_config.d | .*\.conf$ | ^[ \t]*(?i)IgnoreRhosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of IgnoreRhosts is present
oval:ssg-test_IgnoreRhosts_present_sshd_disable_rhosts:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_disable_rhosts:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-obj_sshd_disable_rhosts:obj:1
oval:ssg-obj_sshd_disable_rhosts_config_dir:obj:1
|
Disable SSH Root Loginxccdf_org.ssgproject.content_rule_sshd_disable_root_login mediumCCE-90800-4
Disable SSH Root Login
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_root_login |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_root_login:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-90800-4 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 3, 5 | | cjis | 5.5.6 | | cobit5 | APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10 | | cui | 3.1.1, 3.1.5 | | hipaa | 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3 | | nist | AC-6(2), AC-17(a), IA-2, IA-2(5), CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3 | | ospp | FAU_GEN.1 | | pcidss | Req-2.2.4 | | os-srg | SRG-OS-000109-GPOS-00056, SRG-OS-000480-GPOS-00227 | | app-srg-ctr | SRG-APP-000148-CTR-000335, SRG-APP-000190-CTR-000500 | | anssi | R33 | | cis | 5.1.20 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-255045 | | stigref | SV-257985r1069364_rule |
|
| Description | The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line in
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
PermitRootLogin no
|
| Rationale | Even though the communications channel may be encrypted, an additional layer of
security is gained by extending the policy of not logging directly on as root.
In addition, logging in with a user-specific account provides individual
accountability of actions performed on the system and also helps to minimize
direct attack attempts on root's password. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
tests the value of PermitRootLogin setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_root_login:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_root_login:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)PermitRootLogin(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of PermitRootLogin setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_disable_root_login_config_dir:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/ssh/sshd_config.d/01-permitrootlogin.conf | PermitRootLogin yes |
Verify that the value of PermitRootLogin is present
oval:ssg-test_PermitRootLogin_present_sshd_disable_root_login:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/ssh/sshd_config.d/01-permitrootlogin.conf | PermitRootLogin yes |
Disable SSH Support for User Known Hostsxccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts mediumCCE-90796-4
Disable SSH Support for User Known Hosts
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_user_known_hosts:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-90796-4 |
| References: | | cis-csc | 11, 3, 9 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05 | | cui | 3.1.12 | | hipaa | 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | isa-62443-2009 | 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4 | | nist | AC-17(a), CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.IP-1 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-255150 | | stigref | SV-258006r1045071_rule |
|
| Description | SSH can allow system users to connect to systems if a cache of the remote
systems public keys is available. This should be disabled.
To ensure this behavior is disabled, add or correct the following line in
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
IgnoreUserKnownHosts yes
|
| Rationale | Configuring this setting for the SSH daemon provides additional
assurance that remote login via SSH will require a password, even
in the event of misconfiguration elsewhere. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
tests the value of IgnoreUserKnownHosts setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_user_known_hosts:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_user_known_hosts:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)IgnoreUserKnownHosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of IgnoreUserKnownHosts setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_disable_user_known_hosts_config_dir:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_user_known_hosts_config_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/ssh/sshd_config.d | .*\.conf$ | ^[ \t]*(?i)IgnoreUserKnownHosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of IgnoreUserKnownHosts is present
oval:ssg-test_IgnoreUserKnownHosts_present_sshd_disable_user_known_hosts:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_disable_user_known_hosts:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-obj_sshd_disable_user_known_hosts:obj:1
oval:ssg-obj_sshd_disable_user_known_hosts_config_dir:obj:1
|
Disable X11 Forwardingxccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding mediumCCE-90798-0
Disable X11 Forwarding
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_x11_forwarding:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-90798-0 |
| References: | |
| Description | The X11Forwarding parameter provides the ability to tunnel X11 traffic
through the connection to enable remote graphic connections.
SSH has the capability to encrypt remote X11 connections when SSH's
X11Forwarding option is enabled.
The default SSH configuration disables X11Forwarding. The appropriate
configuration is used if no value is set for X11Forwarding.
To explicitly disable X11 Forwarding, add or correct the following line in
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
X11Forwarding no
|
| Rationale | Disable X11 forwarding unless there is an operational requirement to use X11
applications directly. There is a small risk that the remote X11 servers of
users who are logged in via SSH with X11 forwarding could be compromised by
other users on the X11 server. Note that even if X11 forwarding is disabled,
users can always install their own forwarders. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
tests the value of X11Forwarding setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_x11_forwarding:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_x11_forwarding:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)X11Forwarding(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of X11Forwarding setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_disable_x11_forwarding_config_dir:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/ssh/sshd_config.d/50-redhat.conf | X11Forwarding yes |
Verify that the value of X11Forwarding is present
oval:ssg-test_X11Forwarding_present_sshd_disable_x11_forwarding:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/ssh/sshd_config.d/50-redhat.conf | X11Forwarding yes |
Do Not Allow SSH Environment Optionsxccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env mediumCCE-90803-8
Do Not Allow SSH Environment Options
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_do_not_permit_user_env:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-90803-8 |
| References: | | cis-csc | 11, 3, 9 | | cjis | 5.5.6 | | cobit5 | BAI10.01, BAI10.02, BAI10.03, BAI10.05 | | cui | 3.1.12 | | hipaa | 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | isa-62443-2009 | 4.3.4.3.2, 4.3.4.3.3 | | isa-62443-2013 | SR 7.6 | | iso27001-2013 | A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4 | | nist | AC-17(a), CM-7(a), CM-7(b), CM-6(a) | | nist-csf | PR.IP-1 | | pcidss | Req-2.2.4 | | os-srg | SRG-OS-000480-GPOS-00229 | | cis | 5.1.21 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-255085 | | stigref | SV-257993r1045049_rule |
|
| Description | Ensure that users are not able to override environment variables of the SSH daemon.
The default SSH configuration disables environment processing. The appropriate
configuration is used if no value is set for PermitUserEnvironment.
To explicitly disable Environment options, add or correct the following
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
PermitUserEnvironment no
|
| Rationale | SSH environment options potentially allow users to bypass
access restriction in some configurations. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
tests the value of PermitUserEnvironment setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_do_not_permit_user_env:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_do_not_permit_user_env:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)PermitUserEnvironment(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of PermitUserEnvironment setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_do_not_permit_user_env_config_dir:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_do_not_permit_user_env_config_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/ssh/sshd_config.d | .*\.conf$ | ^[ \t]*(?i)PermitUserEnvironment(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of PermitUserEnvironment is present
oval:ssg-test_PermitUserEnvironment_present_sshd_do_not_permit_user_env:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_do_not_permit_user_env:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-obj_sshd_do_not_permit_user_env:obj:1
oval:ssg-obj_sshd_do_not_permit_user_env_config_dir:obj:1
|
Enable PAMxccdf_org.ssgproject.content_rule_sshd_enable_pam mediumCCE-86722-6
Enable PAM
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_enable_pam |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_enable_pam:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-86722-6 |
| References: | |
| Description | UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will
enable PAM authentication using ChallengeResponseAuthentication and
PasswordAuthentication in addition to PAM account and session module processing for all
authentication types.
To enable PAM authentication, add or correct the following line in
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
UsePAM yes
|
| Rationale | When UsePAM is set to yes, PAM runs through account and session types properly. This is
important if you want to restrict access to services based off of IP, time or other factors of
the account. Additionally, you can make sure users inherit certain environment variables
on login or disallow access to the server. |
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
tests the value of UsePAM setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_enable_pam:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_enable_pam:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)UsePAM(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of UsePAM setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_enable_pam_config_dir:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/ssh/sshd_config.d/50-redhat.conf | UsePAM yes |
Verify that the value of UsePAM is present
oval:ssg-test_UsePAM_present_sshd_enable_pam:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/ssh/sshd_config.d/50-redhat.conf | UsePAM yes |
Enable Public Key Authenticationxccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth mediumCCE-86138-5
Enable Public Key Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_enable_pubkey_auth:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-86138-5 |
| References: | | os-srg | SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055 | | stigid | RHEL-09-255035 | | stigref | SV-257983r1045024_rule |
|
| Description | Enable SSH login with public keys.
The default SSH configuration enables authentication based on public keys. The appropriate
configuration is used if no value is set for PubkeyAuthentication.
To explicitly enable Public Key Authentication, add or correct the following
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
PubkeyAuthentication yes
|
| Rationale | Without the use of multifactor authentication, the ease of access to
privileged functions is greatly increased. Multifactor authentication
requires using two or more factors to achieve authentication.
A privileged account is defined as an information system account with
authorizations of a privileged user.
The DoD CAC with DoD-approved PKI is an example of multifactor
authentication. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
tests the value of PubkeyAuthentication setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_enable_pubkey_auth:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_enable_pubkey_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)PubkeyAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of PubkeyAuthentication setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_enable_pubkey_auth_config_dir:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_enable_pubkey_auth_config_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/ssh/sshd_config.d | .*\.conf$ | ^[ \t]*(?i)PubkeyAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of PubkeyAuthentication is present
oval:ssg-test_PubkeyAuthentication_present_sshd_enable_pubkey_auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_enable_pubkey_auth:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-obj_sshd_enable_pubkey_auth:obj:1
oval:ssg-obj_sshd_enable_pubkey_auth_config_dir:obj:1
|
Enable Use of Strict Mode Checkingxccdf_org.ssgproject.content_rule_sshd_enable_strictmodes mediumCCE-90809-5
Enable Use of Strict Mode Checking
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_enable_strictmodes:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-90809-5 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | cui | 3.1.12 | | hipaa | 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | AC-6, AC-17(a), CM-6(a) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-255160 | | stigref | SV-258008r1045075_rule |
|
| Description | SSHs StrictModes option checks file and ownership permissions in
the user's home directory .ssh folder before accepting login. If world-
writable permissions are found, logon is rejected.
The default SSH configuration has StrictModes enabled. The appropriate
configuration is used if no value is set for StrictModes.
To explicitly enable StrictModes in SSH, add or correct the following line in
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
StrictModes yes
|
| Rationale | If other users have access to modify user-specific SSH configuration files, they
may be able to log into the system as another user. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
tests the value of StrictModes setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_enable_strictmodes:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_enable_strictmodes:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)StrictModes(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of StrictModes setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_enable_strictmodes_config_dir:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_enable_strictmodes_config_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/ssh/sshd_config.d | .*\.conf$ | ^[ \t]*(?i)StrictModes(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of StrictModes is present
oval:ssg-test_StrictModes_present_sshd_enable_strictmodes:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_enable_strictmodes:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-obj_sshd_enable_strictmodes:obj:1
oval:ssg-obj_sshd_enable_strictmodes_config_dir:obj:1
|
Enable SSH Warning Bannerxccdf_org.ssgproject.content_rule_sshd_enable_warning_banner mediumCCE-90807-9
Enable SSH Warning Banner
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_enable_warning_banner:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-90807-9 |
| References: | | cis-csc | 1, 12, 15, 16 | | cjis | 5.5.6 | | cobit5 | DSS05.04, DSS05.10, DSS06.10 | | cui | 3.1.9 | | hipaa | 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | isa-62443-2009 | 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9 | | iso27001-2013 | A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | AC-8(a), AC-8(c), AC-17(a), CM-6(a) | | nist-csf | PR.AC-7 | | ospp | FTA_TAB.1 | | pcidss | Req-2.2.4 | | os-srg | SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088 | | stigid | RHEL-09-255025 | | stigref | SV-257981r1045019_rule |
|
| Description | To enable the warning banner and ensure it is consistent
across the system, add or correct the following line in
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
Banner /etc/issue
Another section contains information on how to create an
appropriate system-wide warning banner. |
| Rationale | The warning message reinforces policy awareness during the logon process and
facilitates possible legal action against attackers. Alternatively, systems
whose ownership should not be obvious should ensure usage of a banner that does
not provide easy attribution. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
tests the value of Banner setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_enable_warning_banner:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_enable_warning_banner:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)Banner(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of Banner setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_enable_warning_banner_config_dir:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_enable_warning_banner_config_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/ssh/sshd_config.d | .*\.conf$ | ^[ \t]*(?i)Banner(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of Banner is present
oval:ssg-test_Banner_present_sshd_enable_warning_banner:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_enable_warning_banner:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-obj_sshd_enable_warning_banner:obj:1
oval:ssg-obj_sshd_enable_warning_banner_config_dir:obj:1
|
Enable SSH Print Last Logxccdf_org.ssgproject.content_rule_sshd_print_last_log mediumCCE-90804-6
Enable SSH Print Last Log
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_print_last_log |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_print_last_log:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-90804-6 |
| References: | | cis-csc | 1, 12, 15, 16 | | cobit5 | DSS05.04, DSS05.10, DSS06.10 | | isa-62443-2009 | 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9 | | iso27001-2013 | A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | AC-9, AC-9(1) | | nist-csf | PR.AC-7 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-255165 | | stigref | SV-258009r1045077_rule |
|
| Description | Ensure that SSH will display the date and time of the last successful account logon.
The default SSH configuration enables print of the date and time of the last login.
The appropriate configuration is used if no value is set for PrintLastLog.
To explicitly enable LastLog in SSH, add or correct the following line in
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
PrintLastLog yes
|
| Rationale | Providing users feedback on when account accesses last occurred facilitates user
recognition and reporting of unauthorized account use. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
tests the value of PrintLastLog setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_print_last_log:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_print_last_log:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)PrintLastLog(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of PrintLastLog setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_print_last_log_config_dir:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_print_last_log_config_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/ssh/sshd_config.d | .*\.conf$ | ^[ \t]*(?i)PrintLastLog(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of PrintLastLog is present
oval:ssg-test_PrintLastLog_present_sshd_print_last_log:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_print_last_log:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-obj_sshd_print_last_log:obj:1
oval:ssg-obj_sshd_print_last_log_config_dir:obj:1
|
Force frequent session key renegotiationxccdf_org.ssgproject.content_rule_sshd_rekey_limit mediumCCE-90815-2
Force frequent session key renegotiation
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_rekey_limit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_rekey_limit:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-90815-2 |
| References: | | ospp | FCS_SSH_EXT.1.8 | | os-srg | SRG-OS-000480-GPOS-00227, SRG-OS-000033-GPOS-00014 | | stigid | RHEL-09-255090 | | stigref | SV-257994r1045051_rule |
|
| Description | The RekeyLimit parameter specifies how often
the session key of the is renegotiated, both in terms of
amount of data that may be transmitted and the time
elapsed.
To decrease the default limits, add or correct the following line in
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
RekeyLimit 1G
1h
|
| Rationale | By decreasing the limit based on the amount of data and enabling
time-based limit, effects of potential attacks against
encryption keys are limited. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
tests the value of RekeyLimit setting in the file
oval:ssg-test_sshd_rekey_limit:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_rekey_limit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[\s]*RekeyLimit[\s]+(.*)$ | 1 |
tests the value of RekeyLimit setting in SSHD config directory
oval:ssg-test_sshd_rekey_limit_config_dir:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_rekey_limit_config_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/ssh/sshd_config.d | .*\.conf$ | ^[\s]*RekeyLimit[\s]+(.*)$ | 1 |
Set SSH Daemon LogLevel to VERBOSExccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose mediumCCE-86923-0
Set SSH Daemon LogLevel to VERBOSE
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_set_loglevel_verbose:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-86923-0 |
| References: | |
| Description | The VERBOSE parameter configures the SSH daemon to record login and logout activity.
To specify the log level in
SSH, add or correct the following line in
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
LogLevel VERBOSE
|
| Rationale | SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically
not recommended other than strictly for debugging SSH communications since it provides
so much data that it is difficult to identify important security information. INFO or
VERBOSE level is the basic level that only records login activity of SSH users. In many
situations, such as Incident Response, it is important to determine when a particular user was active
on a system. The logout record can eliminate those users who disconnected, which helps narrow the
field. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
tests the value of LogLevel setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_set_loglevel_verbose:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_set_loglevel_verbose:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)LogLevel(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of LogLevel setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_set_loglevel_verbose_config_dir:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_set_loglevel_verbose_config_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/ssh/sshd_config.d | .*\.conf$ | ^[ \t]*(?i)LogLevel(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of LogLevel is present
oval:ssg-test_LogLevel_present_sshd_set_loglevel_verbose:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_set_loglevel_verbose:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-obj_sshd_set_loglevel_verbose:obj:1
oval:ssg-obj_sshd_set_loglevel_verbose_config_dir:obj:1
|
Prevent remote hosts from connecting to the proxy displayxccdf_org.ssgproject.content_rule_sshd_x11_use_localhost mediumCCE-89105-1
Prevent remote hosts from connecting to the proxy display
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_x11_use_localhost:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-89105-1 |
| References: | |
| Description | The SSH daemon should prevent remote hosts from connecting to the proxy
display.
The default SSH configuration for X11UseLocalhost is yes,
which prevents remote hosts from connecting to the proxy display.
To explicitly prevent remote connections to the proxy display, add or correct
the following line in
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
X11UseLocalhost yes
|
| Rationale | When X11 forwarding is enabled, there may be additional exposure to the
server and client displays if the sshd proxy display is configured to listen
on the wildcard address. By default, sshd binds the forwarding server to the
loopback address and sets the hostname part of the DISPLAY
environment variable to localhost. This prevents remote hosts from
connecting to the proxy display. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| false | oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|
| true | oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
tests the value of X11UseLocalhost setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_x11_use_localhost:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_x11_use_localhost:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)X11UseLocalhost(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of X11UseLocalhost setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_x11_use_localhost_config_dir:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_x11_use_localhost_config_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/ssh/sshd_config.d | .*\.conf$ | ^[ \t]*(?i)X11UseLocalhost(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Verify that the value of X11UseLocalhost is present
oval:ssg-test_X11UseLocalhost_present_sshd_x11_use_localhost:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_collection_obj_sshd_x11_use_localhost:obj:1 of type
textfilecontent54_object
| Set |
|---|
|
oval:ssg-obj_sshd_x11_use_localhost:obj:1
oval:ssg-obj_sshd_x11_use_localhost_config_dir:obj:1
|
Install OpenSSH client softwarexccdf_org.ssgproject.content_rule_package_openssh-clients_installed mediumCCE-90836-8
Install OpenSSH client software
| Rule ID | xccdf_org.ssgproject.content_rule_package_openssh-clients_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_openssh-clients_installed:def:1 |
| Time | 2025-09-21T20:27:14-05:00 |
| Severity | medium |
| Identifiers: | CCE-90836-8 |
| References: | | ospp | FIA_UAU.5, FTP_ITC_EXT.1, FCS_SSH_EXT.1, FCS_SSHC_EXT.1 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-255020 | | stigref | SV-257980r1045016_rule |
|
| Description | The openssh-clients package can be installed with the following command:
$ sudo dnf install openssh-clients
|
| Rationale | This package includes utilities to make encrypted connections and transfer
files securely to SSH servers. |
OVAL test results detailspackage openssh-clients is installed
oval:ssg-test_package_openssh-clients_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-clients | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-clients-0:8.7p1-45.el9.x86_64 |
Install the OpenSSH Server Packagexccdf_org.ssgproject.content_rule_package_openssh-server_installed mediumCCE-90823-6
Install the OpenSSH Server Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_openssh-server_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_openssh-server_installed:def:1 |
| Time | 2025-09-21T20:27:14-05:00 |
| Severity | medium |
| Identifiers: | CCE-90823-6 |
| References: | | cis-csc | 13, 14 | | cobit5 | APO01.06, DSS05.02, DSS05.04, DSS05.07, DSS06.02, DSS06.06 | | isa-62443-2013 | SR 3.1, SR 3.8, SR 4.1, SR 4.2, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-6(a) | | nist-csf | PR.DS-2, PR.DS-5 | | ospp | FIA_UAU.5, FTP_ITC_EXT.1, FCS_SSH_EXT.1, FCS_SSHS_EXT.1 | | os-srg | SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190 | | stigid | RHEL-09-255010 | | stigref | SV-257978r1045013_rule |
|
| Description | The openssh-server package should be installed.
The openssh-server package can be installed with the following command:
$ sudo dnf install openssh-server
|
| Rationale | Without protection of the transmitted information, confidentiality, and
integrity may be compromised because unprotected communications can be
intercepted and either read or altered. |
OVAL test results detailspackage openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
Enable the OpenSSH Servicexccdf_org.ssgproject.content_rule_service_sshd_enabled mediumCCE-90822-8
Enable the OpenSSH Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_sshd_enabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_sshd_enabled:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-90822-8 |
| References: | | cis-csc | 13, 14 | | cobit5 | APO01.06, DSS05.02, DSS05.04, DSS05.07, DSS06.02, DSS06.06 | | cui | 3.1.13, 3.5.4, 3.13.8 | | isa-62443-2013 | SR 3.1, SR 3.8, SR 4.1, SR 4.2, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-6(a), SC-8, SC-8(1), SC-8(2), SC-8(3), SC-8(4) | | nist-csf | PR.DS-2, PR.DS-5 | | os-srg | SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190 | | stigid | RHEL-09-255015 | | stigref | SV-257979r958908_rule |
|
| Description | The SSH server service, sshd, is commonly needed.
The sshd service can be enabled with the following command:
$ sudo systemctl enable sshd.service
|
| Rationale | Without protection of the transmitted information, confidentiality, and
integrity may be compromised because unprotected communications can be
intercepted and either read or altered.
This checklist item applies to both internal and external networks and all types
of information system components from which information can be transmitted (e.g., servers,
mobile devices, notebook computers, printers, copiers, scanners, etc). Communication paths
outside the physical protection of a controlled boundary are exposed to the possibility
of interception and modification. |
OVAL test results detailspackage openssh-server is installed
oval:ssg-test_service_sshd_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | openssh-server | x86_64 | (none) | 45.el9 | 8.7p1 | 0:8.7p1-45.el9 | 199e2f91fd431d51 | openssh-server-0:8.7p1-45.el9.x86_64 |
Test that the sshd service is running
oval:ssg-test_service_running_sshd:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Unit | Property | Value |
|---|
| true | sshd.service | ActiveState | active |
| false | sshd.socket | ActiveState | inactive |
systemd test
oval:ssg-test_multi_user_wants_sshd:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| true | multi-user.target | basic.target | -.mount | sysinit.target | iscsi-starter.service | systemd-network-generator.service | ldconfig.service | proc-sys-fs-binfmt_misc.automount | dracut-shutdown.service | sys-kernel-tracing.mount | sys-kernel-debug.mount | veritysetup.target | dev-hugepages.mount | systemd-pcrphase-sysinit.service | systemd-boot-update.service | lvm2-monitor.service | integritysetup.target | plymouth-read-write.service | systemd-firstboot.service | multipathd.service | systemd-pcrphase.service | sys-fs-fuse-connections.mount | systemd-journal-catalog-update.service | systemd-binfmt.service | systemd-pstore.service | sys-kernel-config.mount | systemd-machine-id-commit.service | local-fs.target | boot-efi.mount | boot.mount | opt-share.mount | ostree-remount.service | systemd-remount-fs.service | systemd-hwdb-update.service | systemd-update-utmp.service | kmod-static-nodes.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | plymouth-start.service | systemd-journald.service | systemd-random-seed.service | swap.target | dev-mapper-rhel_desktop\x2d\x2drncu7uo\x2dswap.swap | selinux-autorelabel-mark.service | systemd-udevd.service | iscsi-onboot.service | systemd-pcrmachine.service | nis-domainname.service | systemd-sysctl.service | lvm2-lvmpolld.socket | systemd-ask-password-console.path | systemd-sysusers.service | systemd-modules-load.service | systemd-update-done.service | systemd-repart.service | systemd-udev-trigger.service | dev-mqueue.mount | cryptsetup.target | systemd-journal-flush.service | systemd-boot-random-seed.service | slices.target | -.slice | system.slice | low-memory-monitor.service | timers.target | logrotate.timer | systemd-tmpfiles-clean.timer | unbound-anchor.timer | mlocate-updatedb.timer | dnf-makecache.timer | paths.target | microcode.service | sockets.target | dm-event.socket | iscsid.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | systemd-udevd-kernel.socket | systemd-coredump.socket | systemd-journald.socket | systemd-initctl.socket | multipathd.socket | iscsiuio.socket | cups.socket | systemd-journald-dev-log.socket | avahi-daemon.socket | NetworkManager.service | insights-client-boot.service | tuned.service | mcelog.service | systemd-ask-password-wall.path | ModemManager.service | rsyslog.service | ostree-readonly-sysroot-migration.service | firewalld.service | systemd-user-sessions.service | sshd.service | vmtoolsd.service | systemd-logind.service | run-vmblock\x2dfuse.mount | sssd.service | atd.service | nessusd.service | libstoragemgmt.service | irqbalance.service | getty.target | getty@tty1.service | plymouth-quit.service | cups.path | kdump.service | rhsmcertd.service | crond.service | chronyd.service | mdmonitor.service | auditd.service | smartd.service | cups.service | avahi-daemon.service | remote-fs.target | systemd-update-utmp-runlevel.service | plymouth-quit-wait.service |
systemd test
oval:ssg-test_multi_user_wants_sshd_socket:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| false | multi-user.target | basic.target | -.mount | sysinit.target | iscsi-starter.service | systemd-network-generator.service | ldconfig.service | proc-sys-fs-binfmt_misc.automount | dracut-shutdown.service | sys-kernel-tracing.mount | sys-kernel-debug.mount | veritysetup.target | dev-hugepages.mount | systemd-pcrphase-sysinit.service | systemd-boot-update.service | lvm2-monitor.service | integritysetup.target | plymouth-read-write.service | systemd-firstboot.service | multipathd.service | systemd-pcrphase.service | sys-fs-fuse-connections.mount | systemd-journal-catalog-update.service | systemd-binfmt.service | systemd-pstore.service | sys-kernel-config.mount | systemd-machine-id-commit.service | local-fs.target | boot-efi.mount | boot.mount | opt-share.mount | ostree-remount.service | systemd-remount-fs.service | systemd-hwdb-update.service | systemd-update-utmp.service | kmod-static-nodes.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | plymouth-start.service | systemd-journald.service | systemd-random-seed.service | swap.target | dev-mapper-rhel_desktop\x2d\x2drncu7uo\x2dswap.swap | selinux-autorelabel-mark.service | systemd-udevd.service | iscsi-onboot.service | systemd-pcrmachine.service | nis-domainname.service | systemd-sysctl.service | lvm2-lvmpolld.socket | systemd-ask-password-console.path | systemd-sysusers.service | systemd-modules-load.service | systemd-update-done.service | systemd-repart.service | systemd-udev-trigger.service | dev-mqueue.mount | cryptsetup.target | systemd-journal-flush.service | systemd-boot-random-seed.service | slices.target | -.slice | system.slice | low-memory-monitor.service | timers.target | logrotate.timer | systemd-tmpfiles-clean.timer | unbound-anchor.timer | mlocate-updatedb.timer | dnf-makecache.timer | paths.target | microcode.service | sockets.target | dm-event.socket | iscsid.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | systemd-udevd-kernel.socket | systemd-coredump.socket | systemd-journald.socket | systemd-initctl.socket | multipathd.socket | iscsiuio.socket | cups.socket | systemd-journald-dev-log.socket | avahi-daemon.socket | NetworkManager.service | insights-client-boot.service | tuned.service | mcelog.service | systemd-ask-password-wall.path | ModemManager.service | rsyslog.service | ostree-readonly-sysroot-migration.service | firewalld.service | systemd-user-sessions.service | sshd.service | vmtoolsd.service | systemd-logind.service | run-vmblock\x2dfuse.mount | sssd.service | atd.service | nessusd.service | libstoragemgmt.service | irqbalance.service | getty.target | getty@tty1.service | plymouth-quit.service | cups.path | kdump.service | rhsmcertd.service | crond.service | chronyd.service | mdmonitor.service | auditd.service | smartd.service | cups.service | avahi-daemon.service | remote-fs.target | systemd-update-utmp-runlevel.service | plymouth-quit-wait.service |
Verify Group Who Owns SSH Server Configuration Filesxccdf_org.ssgproject.content_rule_directory_groupowner_sshd_config_d mediumCCE-86179-9
Verify Group Who Owns SSH Server Configuration Files
| Rule ID | xccdf_org.ssgproject.content_rule_directory_groupowner_sshd_config_d |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-directory_groupowner_sshd_config_d:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-86179-9 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | AC-17(a), CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-255105 | | stigref | SV-257997r1069370_rule |
|
| Description |
To properly set the group owner of /etc/ssh/sshd_config.d, run the command:
$ sudo chgrp root /etc/ssh/sshd_config.d
|
| Rationale | Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
OVAL test results detailsTesting group ownership of /etc/ssh/sshd_config.d/
oval:ssg-test_file_groupownerdirectory_groupowner_sshd_config_d_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerdirectory_groupowner_sshd_config_d_0:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| /etc/ssh/sshd_config.d | no value | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupownerdirectory_groupowner_sshd_config_d_0_0:ste:1 |
Verify Owner on SSH Server Configuration Filesxccdf_org.ssgproject.content_rule_directory_owner_sshd_config_d mediumCCE-86180-7
Verify Owner on SSH Server Configuration Files
| Rule ID | xccdf_org.ssgproject.content_rule_directory_owner_sshd_config_d |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-directory_owner_sshd_config_d:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-86180-7 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | AC-17(a), CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-255110 | | stigref | SV-257998r1082181_rule |
|
| Description |
To properly set the owner of /etc/ssh/sshd_config.d, run the command:
$ sudo chown root /etc/ssh/sshd_config.d
|
| Rationale | Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
OVAL test results detailsTesting user ownership of /etc/ssh/sshd_config.d/
oval:ssg-test_file_ownerdirectory_owner_sshd_config_d_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerdirectory_owner_sshd_config_d_0:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| /etc/ssh/sshd_config.d | no value | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_ownerdirectory_owner_sshd_config_d_0_0:ste:1 |
Verify Permissions on SSH Server Config Filexccdf_org.ssgproject.content_rule_directory_permissions_sshd_config_d mediumCCE-86186-4
Verify Permissions on SSH Server Config File
| Rule ID | xccdf_org.ssgproject.content_rule_directory_permissions_sshd_config_d |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-directory_permissions_sshd_config_d:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-86186-4 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | AC-17(a), CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-255115 | | stigref | SV-257999r1082182_rule |
|
| Description |
To properly set the permissions of /etc/ssh/sshd_config.d, run the command:
$ sudo chmod 0700 /etc/ssh/sshd_config.d
|
| Rationale | Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
OVAL test results detailsTesting mode of /etc/ssh/sshd_config.d/
oval:ssg-test_file_permissionsdirectory_permissions_sshd_config_d_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsdirectory_permissions_sshd_config_d_0:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| /etc/ssh/sshd_config.d | no value | oval:ssg-exclude_symlinks_directory_permissions_sshd_config_d:ste:1 | oval:ssg-state_file_permissionsdirectory_permissions_sshd_config_d_0_mode_0700or_stricter_:ste:1 |
Verify Group Who Owns SSH Server config filexccdf_org.ssgproject.content_rule_file_groupowner_sshd_config mediumCCE-90817-8
Verify Group Who Owns SSH Server config file
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_sshd_config |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_sshd_config:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-90817-8 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | AC-17(a), CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R50 | | cis | 5.1.1 | | stigid | RHEL-09-255105 | | stigref | SV-257997r1069370_rule |
|
| Description |
To properly set the group owner of /etc/ssh/sshd_config, run the command:
$ sudo chgrp root /etc/ssh/sshd_config
|
| Rationale | Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
OVAL test results detailsTesting group ownership of /etc/ssh/sshd_config
oval:ssg-test_file_groupowner_sshd_config_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_sshd_config_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/ssh/sshd_config | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupowner_sshd_config_0_0:ste:1 |
Verify Group Who Owns SSH Server Configuration Filesxccdf_org.ssgproject.content_rule_file_groupowner_sshd_drop_in_config mediumCCE-86253-2
Verify Group Who Owns SSH Server Configuration Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_sshd_drop_in_config |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_sshd_drop_in_config:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-86253-2 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | AC-17(a), CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-255105 | | stigref | SV-257997r1069370_rule |
|
| Description |
To properly set the group owner of files in /etc/ssh/sshd_config.d, run the command:
find -H /etc/ssh/sshd_config.d -type d -exec chgrp -L root {} \;
|
| Rationale | Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
OVAL test results detailsTesting group ownership of /etc/ssh/sshd_config.d/
oval:ssg-test_file_groupowner_sshd_drop_in_config_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_sshd_drop_in_config_0:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| /etc/ssh/sshd_config.d | ^.*$ | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupowner_sshd_drop_in_config_0_0:ste:1 |
Verify Owner on SSH Server config filexccdf_org.ssgproject.content_rule_file_owner_sshd_config mediumCCE-90821-0
Verify Owner on SSH Server config file
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_sshd_config |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_sshd_config:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-90821-0 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | AC-17(a), CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R50 | | cis | 5.1.1 | | stigid | RHEL-09-255110 | | stigref | SV-257998r1082181_rule |
|
| Description |
To properly set the owner of /etc/ssh/sshd_config, run the command:
$ sudo chown root /etc/ssh/sshd_config
|
| Rationale | Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
OVAL test results detailsTesting user ownership of /etc/ssh/sshd_config
oval:ssg-test_file_owner_sshd_config_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_sshd_config_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/ssh/sshd_config | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_owner_sshd_config_0_0:ste:1 |
Verify Owner on SSH Server Configuration Filesxccdf_org.ssgproject.content_rule_file_owner_sshd_drop_in_config mediumCCE-86217-7
Verify Owner on SSH Server Configuration Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_sshd_drop_in_config |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_sshd_drop_in_config:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-86217-7 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | AC-17(a), CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-255110 | | stigref | SV-257998r1082181_rule |
|
| Description |
To properly set the owner of files in /etc/ssh/sshd_config.d, run the command:
find -H /etc/ssh/sshd_config.d -type d -exec chown -L root {} \;
|
| Rationale | Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
OVAL test results detailsTesting user ownership of /etc/ssh/sshd_config.d/
oval:ssg-test_file_owner_sshd_drop_in_config_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_sshd_drop_in_config_0:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| /etc/ssh/sshd_config.d | ^.*$ | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_owner_sshd_drop_in_config_0_0:ste:1 |
Verify Permissions on SSH Server config filexccdf_org.ssgproject.content_rule_file_permissions_sshd_config mediumCCE-90818-6
Verify Permissions on SSH Server config file
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_sshd_config |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_sshd_config:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-90818-6 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | AC-17(a), CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R50 | | cis | 5.1.1 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-255115 | | stigref | SV-257999r1082182_rule |
|
| Description |
To properly set the permissions of /etc/ssh/sshd_config, run the command:
$ sudo chmod 0600 /etc/ssh/sshd_config
|
| Rationale | Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
OVAL test results detailsTesting mode of /etc/ssh/sshd_config
oval:ssg-test_file_permissions_sshd_config_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_sshd_config_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/ssh/sshd_config | oval:ssg-exclude_symlinks__sshd_config:ste:1 | oval:ssg-state_file_permissions_sshd_config_0_mode_0600or_stricter_:ste:1 |
Verify Permissions on SSH Server Config Filexccdf_org.ssgproject.content_rule_file_permissions_sshd_drop_in_config mediumCCE-86216-9
Verify Permissions on SSH Server Config File
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_sshd_drop_in_config |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_sshd_drop_in_config:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-86216-9 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | AC-17(a), CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | os-srg | SRG-OS-000480-GPOS-00227 | | stigid | RHEL-09-255115 | | stigref | SV-257999r1082182_rule |
|
| Description |
To properly set the permissions of files in /etc/ssh/sshd_config.d, run the command:
find -H /etc/ssh/sshd_config.d -type d -exec chown 0600 {} \;
|
| Rationale | Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
|
|
OVAL test results detailsTesting mode of /etc/ssh/sshd_config.d/
oval:ssg-test_file_permissions_sshd_drop_in_config_0:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|
| not evaluated | /etc/ssh/sshd_config.d/01-permitrootlogin.conf | regular | 0 | 0 | 141 | rw-r--r-- |
Verify Permissions on SSH Server Private *_key Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key mediumCCE-90820-2
Verify Permissions on SSH Server Private *_key Key Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_sshd_private_key:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-90820-2 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | cui | 3.1.13, 3.13.10 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | AC-17(a), CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | pcidss | Req-2.2.4 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R50 | | cis | 5.1.2 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-255120 | | stigref | SV-258000r1045063_rule |
|
| Description | SSH server private keys - files that match the /etc/ssh/*_key glob, have to have restricted permissions.
If those files are owned by the root user and the root group, they have to have the 0600 permission or stricter.
If they are owned by the root user, but by a dedicated group ssh_keys, they can have the 0640 permission or stricter. |
| Rationale | If an unauthorized user obtains the private SSH host key file, the host could be
impersonated. |
| Warnings | warning
Remediation is not possible at bootable container build time because SSH host
keys are generated post-deployment. |
OVAL test results detailsNo keys that have unsafe ownership/permissions combination exist
oval:ssg-test_no_offending_keys:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_offending_keys:obj:1 of type
file_object
| Path | Filename | Filter | Filter | Filter |
|---|
| /etc/ssh | .*_key$ | oval:ssg-exclude_symlinks__sshd_private_key:ste:1 | oval:ssg-filter_ssh_key_owner_root:ste:1 | oval:ssg-filter_ssh_key_owner_ssh_keys:ste:1 |
Verify Permissions on SSH Server Public *.pub Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key mediumCCE-90819-4
Verify Permissions on SSH Server Public *.pub Key Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_sshd_pub_key:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-90819-4 |
| References: | | cis-csc | 12, 13, 14, 15, 16, 18, 3, 5 | | cobit5 | APO01.06, DSS05.04, DSS05.07, DSS06.02 | | cui | 3.1.13, 3.13.10 | | isa-62443-2009 | 4.3.3.7.3 | | isa-62443-2013 | SR 2.1, SR 5.2 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | AC-17(a), CM-6(a), AC-6(1) | | nist-csf | PR.AC-4, PR.DS-5 | | pcidss | Req-2.2.4 | | os-srg | SRG-OS-000480-GPOS-00227 | | anssi | R50 | | cis | 5.1.3 | | pcidss4 | 2.2.6, 2.2 | | stigid | RHEL-09-255125 | | stigref | SV-258001r991589_rule |
|
| Description | To properly set the permissions of /etc/ssh/*.pub, run the command: $ sudo chmod 0644 /etc/ssh/*.pub
|
| Rationale | If a public host key file is modified by an unauthorized user, the SSH service
may be compromised. |
| Warnings | warning
Remediation is not possible at bootable container build time because SSH host
keys are generated post-deployment. |
OVAL test results detailsTesting mode of /etc/ssh/
oval:ssg-test_file_permissions_sshd_pub_key_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_sshd_pub_key_0:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| /etc/ssh | ^.*\.pub$ | oval:ssg-exclude_symlinks__sshd_pub_key:ste:1 | oval:ssg-state_file_permissions_sshd_pub_key_0_mode_0644or_stricter_:ste:1 |
The File /etc/ssh/sshd_config.d/50-redhat.conf Must Existxccdf_org.ssgproject.content_rule_file_sshd_50_redhat_exists mediumCCE-88599-6
The File /etc/ssh/sshd_config.d/50-redhat.conf Must Exist
| Rule ID | xccdf_org.ssgproject.content_rule_file_sshd_50_redhat_exists |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_sshd_50_redhat_exists:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-88599-6 |
| References: | |
| Description | The /etc/ssh/sshd_config.d/50-redhat.conf file must exist as it contains important
settings to secure SSH. |
| Rationale | The file must exist to configure SSH correctly. |
| Warnings | warning
There is no remediation available for this rule since this file needs to have the correct content for the given system. |
OVAL test results detailsTest that that /etc/ssh/sshd_config.d/50-redhat.conf does exist
oval:ssg-test_file_sshd_50_redhat_exists:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|
| not evaluated | /etc/ssh/sshd_config.d/50-redhat.conf | regular | 0 | 0 | 719 | rw------- |
Certificate status checking in SSSDxccdf_org.ssgproject.content_rule_sssd_certificate_verification mediumCCE-87088-1
Certificate status checking in SSSD
| Rule ID | xccdf_org.ssgproject.content_rule_sssd_certificate_verification |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sssd_certificate_verification:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-87088-1 |
| References: | | nist | IA-2(11) | | os-srg | SRG-OS-000375-GPOS-00160, SRG-OS-000377-GPOS-00162 | | stigid | RHEL-09-611170 | | stigref | SV-258123r1045248_rule |
|
| Description | Multifactor solutions that require devices separate from information systems gaining access include,
for example, hardware tokens providing time-based or challenge-response authenticators and smart cards.
Configuring certificate_verification to ocsp_dgst=sha512
ensures that certificates for
multifactor solutions are checked via Online Certificate Status Protocol (OCSP). |
| Rationale | Ensuring that multifactor solutions certificates are checked via Online Certificate Status Protocol (OCSP)
ensures the security of the system. |
|
|
OVAL test results detailstest the value of certificate_verification in sssd configuration
oval:ssg-test_sssd_certificate_verification:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sssd_certificate_verification:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/sssd/(sssd|conf\.d/.*)\.conf$ | ^[\s]*\[sssd](?:[^\n\[]*\n+)+?[\s]*certificate_verification\s*=\s*ocsp_dgst=(\w+)$ | 1 |
Enable Certmap in SSSDxccdf_org.ssgproject.content_rule_sssd_enable_certmap mediumCCE-89737-1
Enable Certmap in SSSD
| Rule ID | xccdf_org.ssgproject.content_rule_sssd_enable_certmap |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sssd_enable_certmap:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-89737-1 |
| References: | |
| Description | SSSD should be configured to verify the certificate of the user or group. To set this up
ensure that section like certmap/testing.test/rule_name is setup in
/etc/sssd/sssd.conf. For example
[certmap/testing.test/rule_name]
matchrule =<SAN>.*EDIPI@mil
maprule = (userCertificate;binary={cert!bin})
domains = testing.test
|
| Rationale | Without mapping the certificate used to authenticate to the user account, the ability to
determine the identity of the individual user or group will not be available for forensic
analysis. |
| Warnings | warning
Automatic remediation of this control is not available, since all of the settings in
in the certmap need to be customized. |
OVAL test results detailstests the presence of '\[certmap\/.+\/.+\]' setting in the /etc/sssd/sssd.conf file
oval:ssg-test_sssd_enable_certmap:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sssd_enable_certmap:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/sssd/sssd.conf | ^[\s]*\[certmap\/.+\/.+\][\s]*$ | 1 |
Enable Smartcards in SSSDxccdf_org.ssgproject.content_rule_sssd_enable_smartcards mediumCCE-89155-6
Enable Smartcards in SSSD
| Rule ID | xccdf_org.ssgproject.content_rule_sssd_enable_smartcards |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sssd_enable_smartcards:def:1 |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-89155-6 |
| References: | | ism | 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 | | pcidss | Req-8.3 | | os-srg | SRG-OS-000375-GPOS-00160, SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055 | | stigid | RHEL-09-611165 | | stigref | SV-258122r1045246_rule |
|
| Description | SSSD should be configured to authenticate access to the system using smart cards.
To enable smart cards in SSSD, set pam_cert_auth to True under the
[pam] section in /etc/sssd/sssd.conf. For example:
[pam]
pam_cert_auth = True
Add or update "pam_sss.so" line in auth section of "/etc/pam.d/system-auth" file to include
"try_cert_auth" or "require_cert_auth" option, like in the following example:
/etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth
Also add or update "pam_sss.so" line in auth section of "/etc/pam.d/smartcard-auth" file to
include the "allow_missing_name" option, like in the following example:
/etc/pam.d/smartcard-auth:auth sufficient pam_sss.so allow_missing_name
|
| Rationale | Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
Multi-Factor Authentication (MFA) solutions that require devices separate from
information systems gaining access include, for example, hardware tokens
providing time-based or challenge-response authenticators and smart cards such
as the U.S. Government Personal Identity Verification card and the DoD Common
Access Card. |
|
|
OVAL test results detailstests the value of pam_cert_auth setting in the /etc/sssd/sssd.conf file
oval:ssg-test_sssd_enable_smartcards:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sssd_enable_smartcards:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/sssd/(sssd\.conf|conf.d/[^/]+\.conf) | ^[\s]*\[pam](?:[^\n\[]*\n+)+?[\s]*pam_cert_auth[\s]*=[\s]*(\w+)\s*$ | 1 |
tests the presence of try_cert_auth or require_cert_auth in /etc/pam.d/smartcard-auth
oval:ssg-test_sssd_enable_smartcards_allow_missing_name_smartcard_auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sssd_enable_smartcards_smartcard_auth_options:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/pam.d/smartcard-auth | ^\s*auth.*?pam_sss\.so(.*) | 1 |
tests the presence of try_cert_auth or require_cert_auth in /etc/pam.d/system-auth
oval:ssg-test_sssd_enable_smartcards_cert_auth_system_auth:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/pam.d/system-auth | auth sufficient pam_sss.so forward_pass |
SSSD Has a Correct Trust Anchorxccdf_org.ssgproject.content_rule_sssd_has_trust_anchor mediumCCE-86321-7
SSSD Has a Correct Trust Anchor
| Rule ID | xccdf_org.ssgproject.content_rule_sssd_has_trust_anchor |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:27:16-05:00 |
| Severity | medium |
| Identifiers: | CCE-86321-7 |
| References: | | nist | IA-5 (2) (a) | | os-srg | SRG-OS-000066-GPOS-00034, SRG-OS-000384-GPOS-00167 | | stigid | RHEL-09-631010 | | stigref | SV-258131r1015125_rule |
|
| Description | SSSD must have acceptable trust anchor present. |
| Rationale | Without path validation, an informed trust decision by the relying party cannot be made when
presented with any certificate not already explicitly trusted.
A trust anchor is an authoritative entity represented via a public key and associated data. It
is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC.
When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor;
it can be, for example, a Certification Authority (CA). A certification path starts with the
subject certificate and proceeds through a number of intermediate certificates up to a trusted
root certificate, typically issued by a trusted CA.
This requirement verifies that a certification path to an accepted trust anchor is used for
certificate validation and that the path includes status information. Path validation is
necessary for a relying party to make an informed trust decision when presented with any
certificate not already explicitly trusted. Status information for certification paths includes
certificate revocation lists or online certificate status protocol responses.
Validation of the certificate status information is out of scope for this requirement. |
| Warnings | warning
Automatic remediation of this control is not available. |
Evaluation messagesinfo
No candidate or applicable check found. |
Configure SSSD to Expire Offline Credentialsxccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration mediumCCE-87996-5
Configure SSSD to Expire Offline Credentials
| Rule ID | xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sssd_offline_cred_expiration:def:1 |
| Time | 2025-09-21T20:27:17-05:00 |
| Severity | medium |
| Identifiers: | CCE-87996-5 |
| References: | | cis-csc | 1, 12, 15, 16, 5 | | cobit5 | DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10 | | isa-62443-2009 | 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4 | | isa-62443-2013 | SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1 | | iso27001-2013 | A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3 | | nist | CM-6(a), IA-5(13) | | nist-csf | PR.AC-1, PR.AC-6, PR.AC-7 | | os-srg | SRG-OS-000383-GPOS-00166 | | stigid | RHEL-09-631020 | | stigref | SV-258133r1045263_rule |
|
| Description | SSSD should be configured to expire offline credentials after 1 day.
Check if SSSD allows cached authentications with the following command:
$ sudo grep cache_credentials /etc/sssd/sssd.conf
cache_credentials = true
If "cache_credentials" is set to "false" or is missing no further checks are required.
To configure SSSD to expire offline credentials, set
offline_credentials_expiration to 1 under the [pam]
section in /etc/sssd/sssd.conf. For example:
[pam]
offline_credentials_expiration = 1
|
| Rationale | If cached authentication information is out-of-date, the validity of the
authentication information may be questionable. |
OVAL test results detailstests the value of offline_credentials_expiration setting in the /etc/sssd/sssd.conf file
oval:ssg-test_sssd_offline_cred_expiration:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sssd_offline_cred_expiration:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\/etc\/sssd\/(sssd.conf|conf\.d\/.+\.conf)$ | ^[\s]*\[pam](?:[^\n\[]*\n+)+?[\s]*offline_credentials_expiration[\s]*=[\s]*(\d+)\s*(?:#.*)?$ | 1 |
tests the value of cache_credentials setting in the /etc/sssd/sssd.conf file
oval:ssg-test_sssd_cache_credentials:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sssd_cache_credentials:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\/etc\/sssd\/(sssd.conf|conf\.d\/.+\.conf)$ | ^[\s]*cache_credentials\s*=\s*(\w+)\s*(?:#.*)?$ | 1 |
Install usbguard Packagexccdf_org.ssgproject.content_rule_package_usbguard_installed mediumCCE-84203-9
Install usbguard Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_usbguard_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_usbguard_installed:def:1 |
| Time | 2025-09-21T20:27:17-05:00 |
| Severity | medium |
| Identifiers: | CCE-84203-9 |
| References: | |
| Description |
The usbguard package can be installed with the following command:
$ sudo dnf install usbguard
|
| Rationale | usbguard is a software framework that helps to protect
against rogue USB devices by implementing basic whitelisting/blacklisting
capabilities based on USB device attributes.
|
|
|
|
|
|
|
|
|
OVAL test results detailspackage usbguard is installed
oval:ssg-test_package_usbguard_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_usbguard_installed:obj:1 of type
rpminfo_object
Enable the USBGuard Servicexccdf_org.ssgproject.content_rule_service_usbguard_enabled mediumCCE-84205-4
Enable the USBGuard Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_usbguard_enabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_usbguard_enabled:def:1 |
| Time | 2025-09-21T20:27:18-05:00 |
| Severity | medium |
| Identifiers: | CCE-84205-4 |
| References: | |
| Description | The USBGuard service should be enabled.
The usbguard service can be enabled with the following command:
$ sudo systemctl enable usbguard.service
|
| Rationale | The usbguard service must be running in order to
enforce the USB device authorization policy for all USB devices. |
|
|
|
|
|
|
OVAL test results detailspackage usbguard is installed
oval:ssg-test_service_usbguard_package_usbguard_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_service_usbguard_package_usbguard_installed:obj:1 of type
rpminfo_object
Test that the usbguard service is running
oval:ssg-test_service_running_usbguard:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_running_usbguard:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^usbguard\.(socket|service)$ | ActiveState |
systemd test
oval:ssg-test_multi_user_wants_usbguard:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| false | multi-user.target | basic.target | -.mount | sysinit.target | iscsi-starter.service | systemd-network-generator.service | ldconfig.service | proc-sys-fs-binfmt_misc.automount | dracut-shutdown.service | sys-kernel-tracing.mount | sys-kernel-debug.mount | veritysetup.target | dev-hugepages.mount | systemd-pcrphase-sysinit.service | systemd-boot-update.service | lvm2-monitor.service | integritysetup.target | plymouth-read-write.service | systemd-firstboot.service | multipathd.service | systemd-pcrphase.service | sys-fs-fuse-connections.mount | systemd-journal-catalog-update.service | systemd-binfmt.service | systemd-pstore.service | sys-kernel-config.mount | systemd-machine-id-commit.service | local-fs.target | boot-efi.mount | boot.mount | opt-share.mount | ostree-remount.service | systemd-remount-fs.service | systemd-hwdb-update.service | systemd-update-utmp.service | kmod-static-nodes.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | plymouth-start.service | systemd-journald.service | systemd-random-seed.service | swap.target | dev-mapper-rhel_desktop\x2d\x2drncu7uo\x2dswap.swap | selinux-autorelabel-mark.service | systemd-udevd.service | iscsi-onboot.service | systemd-pcrmachine.service | nis-domainname.service | systemd-sysctl.service | lvm2-lvmpolld.socket | systemd-ask-password-console.path | systemd-sysusers.service | systemd-modules-load.service | systemd-update-done.service | systemd-repart.service | systemd-udev-trigger.service | dev-mqueue.mount | cryptsetup.target | systemd-journal-flush.service | systemd-boot-random-seed.service | slices.target | -.slice | system.slice | low-memory-monitor.service | timers.target | logrotate.timer | systemd-tmpfiles-clean.timer | unbound-anchor.timer | mlocate-updatedb.timer | dnf-makecache.timer | paths.target | microcode.service | sockets.target | dm-event.socket | iscsid.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | systemd-udevd-kernel.socket | systemd-coredump.socket | systemd-journald.socket | systemd-initctl.socket | multipathd.socket | iscsiuio.socket | cups.socket | systemd-journald-dev-log.socket | avahi-daemon.socket | NetworkManager.service | insights-client-boot.service | tuned.service | mcelog.service | systemd-ask-password-wall.path | ModemManager.service | rsyslog.service | ostree-readonly-sysroot-migration.service | firewalld.service | systemd-user-sessions.service | sshd.service | vmtoolsd.service | systemd-logind.service | run-vmblock\x2dfuse.mount | sssd.service | atd.service | nessusd.service | libstoragemgmt.service | irqbalance.service | getty.target | getty@tty1.service | plymouth-quit.service | cups.path | kdump.service | rhsmcertd.service | crond.service | chronyd.service | mdmonitor.service | auditd.service | smartd.service | cups.service | avahi-daemon.service | remote-fs.target | systemd-update-utmp-runlevel.service | plymouth-quit-wait.service |
systemd test
oval:ssg-test_multi_user_wants_usbguard_socket:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| false | multi-user.target | basic.target | -.mount | sysinit.target | iscsi-starter.service | systemd-network-generator.service | ldconfig.service | proc-sys-fs-binfmt_misc.automount | dracut-shutdown.service | sys-kernel-tracing.mount | sys-kernel-debug.mount | veritysetup.target | dev-hugepages.mount | systemd-pcrphase-sysinit.service | systemd-boot-update.service | lvm2-monitor.service | integritysetup.target | plymouth-read-write.service | systemd-firstboot.service | multipathd.service | systemd-pcrphase.service | sys-fs-fuse-connections.mount | systemd-journal-catalog-update.service | systemd-binfmt.service | systemd-pstore.service | sys-kernel-config.mount | systemd-machine-id-commit.service | local-fs.target | boot-efi.mount | boot.mount | opt-share.mount | ostree-remount.service | systemd-remount-fs.service | systemd-hwdb-update.service | systemd-update-utmp.service | kmod-static-nodes.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | plymouth-start.service | systemd-journald.service | systemd-random-seed.service | swap.target | dev-mapper-rhel_desktop\x2d\x2drncu7uo\x2dswap.swap | selinux-autorelabel-mark.service | systemd-udevd.service | iscsi-onboot.service | systemd-pcrmachine.service | nis-domainname.service | systemd-sysctl.service | lvm2-lvmpolld.socket | systemd-ask-password-console.path | systemd-sysusers.service | systemd-modules-load.service | systemd-update-done.service | systemd-repart.service | systemd-udev-trigger.service | dev-mqueue.mount | cryptsetup.target | systemd-journal-flush.service | systemd-boot-random-seed.service | slices.target | -.slice | system.slice | low-memory-monitor.service | timers.target | logrotate.timer | systemd-tmpfiles-clean.timer | unbound-anchor.timer | mlocate-updatedb.timer | dnf-makecache.timer | paths.target | microcode.service | sockets.target | dm-event.socket | iscsid.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | systemd-udevd-kernel.socket | systemd-coredump.socket | systemd-journald.socket | systemd-initctl.socket | multipathd.socket | iscsiuio.socket | cups.socket | systemd-journald-dev-log.socket | avahi-daemon.socket | NetworkManager.service | insights-client-boot.service | tuned.service | mcelog.service | systemd-ask-password-wall.path | ModemManager.service | rsyslog.service | ostree-readonly-sysroot-migration.service | firewalld.service | systemd-user-sessions.service | sshd.service | vmtoolsd.service | systemd-logind.service | run-vmblock\x2dfuse.mount | sssd.service | atd.service | nessusd.service | libstoragemgmt.service | irqbalance.service | getty.target | getty@tty1.service | plymouth-quit.service | cups.path | kdump.service | rhsmcertd.service | crond.service | chronyd.service | mdmonitor.service | auditd.service | smartd.service | cups.service | avahi-daemon.service | remote-fs.target | systemd-update-utmp-runlevel.service | plymouth-quit-wait.service |
Log USBGuard daemon audit events using Linux Auditxccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend lowCCE-84206-2
Log USBGuard daemon audit events using Linux Audit
| Rule ID | xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:27:18-05:00 |
| Severity | low |
| Identifiers: | CCE-84206-2 |
| References: | |
| Description | To configure USBGuard daemon to log via Linux Audit
(as opposed directly to a file),
AuditBackend option in /etc/usbguard/usbguard-daemon.conf
needs to be set to LinuxAudit. |
| Rationale | Using the Linux Audit logging allows for centralized trace
of events. |
Generate USBGuard Policyxccdf_org.ssgproject.content_rule_usbguard_generate_policy mediumCCE-88882-6
Generate USBGuard Policy
| Rule ID | xccdf_org.ssgproject.content_rule_usbguard_generate_policy |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-usbguard_generate_policy:def:1 |
| Time | 2025-09-21T20:27:18-05:00 |
| Severity | medium |
| Identifiers: | CCE-88882-6 |
| References: | |
| Description | By default USBGuard when enabled prevents access to all USB devices and this lead
to inaccessible system if they use USB mouse/keyboard. To prevent this scenario,
the initial policy configuration must be generated based on current connected USB
devices. |
| Rationale | The usbguard must be configured to allow connected USB devices to work
properly, avoiding the system to become inaccessible. |
|
|
OVAL test results detailsCheck the usbguard rules in either /etc/usbguard/rules.conf or /etc/usbguard/rules.d/ contain at least one non whitespace character and exists
oval:ssg-test_usbguard_rules_nonempty:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_usbguard_rules_nonempty:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/usbguard/(rules|rules\.d/.*)\.conf$ | ^.*\S+.*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - chmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod mediumCCE-83830-0
Record Events that Modify the System's Discretionary Access Controls - chmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_chmod:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83830-0 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.5 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203 | | app-srg-ctr | SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255 | | anssi | R73 | | ccn | A.3.SEC-RHEL7 | | cis | 6.3.3.9 | | pcidss4 | 10.3.4, 10.3 | | stigid | RHEL-09-654015 | | stigref | SV-258177r1045316_rule |
|
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit chmod
oval:ssg-test_32bit_ardm_chmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_chmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit augenrules 64-bit chmod
oval:ssg-test_64bit_ardm_chmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_chmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit chmod
oval:ssg-test_32bit_ardm_chmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_chmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit auditctl 64-bit chmod
oval:ssg-test_64bit_ardm_chmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_chmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - chownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown mediumCCE-83812-8
Record Events that Modify the System's Discretionary Access Controls - chown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_chown:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83812-8 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.5 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219 | | app-srg-ctr | SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255 | | anssi | R73 | | ccn | A.3.SEC-RHEL7 | | cis | 6.3.3.9 | | pcidss4 | 10.3.4, 10.3 | | stigid | RHEL-09-654020 | | stigref | SV-258178r1045319_rule |
|
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit chown
oval:ssg-test_32bit_ardm_chown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_chown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit augenrules 64-bit chown
oval:ssg-test_64bit_ardm_chown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_chown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit chown
oval:ssg-test_32bit_ardm_chown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_chown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit auditctl 64-bit chown
oval:ssg-test_64bit_ardm_chown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_chown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fchmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod mediumCCE-83832-6
Record Events that Modify the System's Discretionary Access Controls - fchmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fchmod:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83832-6 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.5 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203 | | app-srg-ctr | SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255 | | anssi | R73 | | ccn | A.3.SEC-RHEL7 | | cis | 6.3.3.9 | | pcidss4 | 10.3.4, 10.3 | | stigid | RHEL-09-654015 | | stigref | SV-258177r1045316_rule |
|
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fchmod
oval:ssg-test_32bit_ardm_fchmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit augenrules 64-bit fchmod
oval:ssg-test_64bit_ardm_fchmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fchmod
oval:ssg-test_32bit_ardm_fchmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit auditctl 64-bit fchmod
oval:ssg-test_64bit_ardm_fchmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fchmodatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat mediumCCE-83822-7
Record Events that Modify the System's Discretionary Access Controls - fchmodat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fchmodat:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83822-7 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.5 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203 | | app-srg-ctr | SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255 | | anssi | R73 | | ccn | A.3.SEC-RHEL7 | | cis | 6.3.3.9 | | pcidss4 | 10.3.4, 10.3 | | stigid | RHEL-09-654015 | | stigref | SV-258177r1045316_rule |
|
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fchmodat
oval:ssg-test_32bit_ardm_fchmodat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchmodat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit augenrules 64-bit fchmodat
oval:ssg-test_64bit_ardm_fchmodat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchmodat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fchmodat
oval:ssg-test_32bit_ardm_fchmodat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchmodat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit auditctl 64-bit fchmodat
oval:ssg-test_64bit_ardm_fchmodat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchmodat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown mediumCCE-83829-2
Record Events that Modify the System's Discretionary Access Controls - fchown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fchown:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83829-2 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.5 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219 | | app-srg-ctr | SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255 | | anssi | R73 | | ccn | A.3.SEC-RHEL7 | | cis | 6.3.3.9 | | pcidss4 | 10.3.4, 10.3 | | stigid | RHEL-09-654020 | | stigref | SV-258178r1045319_rule |
|
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fchown
oval:ssg-test_32bit_ardm_fchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit augenrules 64-bit fchown
oval:ssg-test_64bit_ardm_fchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fchown
oval:ssg-test_32bit_ardm_fchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit auditctl 64-bit fchown
oval:ssg-test_64bit_ardm_fchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fchownatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat mediumCCE-83831-8
Record Events that Modify the System's Discretionary Access Controls - fchownat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fchownat:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83831-8 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.5 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219 | | app-srg-ctr | SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255 | | anssi | R73 | | ccn | A.3.SEC-RHEL7 | | cis | 6.3.3.9 | | pcidss4 | 10.3.4, 10.3 | | stigid | RHEL-09-654020 | | stigref | SV-258178r1045319_rule |
|
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fchownat
oval:ssg-test_32bit_ardm_fchownat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchownat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit augenrules 64-bit fchownat
oval:ssg-test_64bit_ardm_fchownat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchownat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fchownat
oval:ssg-test_32bit_ardm_fchownat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchownat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit auditctl 64-bit fchownat
oval:ssg-test_64bit_ardm_fchownat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchownat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr mediumCCE-83821-9
Record Events that Modify the System's Discretionary Access Controls - fremovexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fremovexattr:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83821-9 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.5 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000064-GPOS-00033 | | app-srg-ctr | SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000499-CTR-001255 | | anssi | R73 | | ccn | A.3.SEC-RHEL7 | | cis | 6.3.3.9 | | pcidss4 | 10.3.4, 10.3 | | stigid | RHEL-09-654025 | | stigref | SV-258179r1069366_rule |
|
| Description | At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
|
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83821-9
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit fremovexattr tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83821-9
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for fremovexattr for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
tags:
- CCE-83821-9
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for fremovexattr for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83821-9
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fremovexattr
oval:ssg-test_32bit_ardm_fremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 32-bit fremovexattr auid=0
oval:ssg-test_32bit_ardm_fremovexattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fremovexattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit augenrules 64-bit fremovexattr
oval:ssg-test_64bit_ardm_fremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 64-bit fremovexattr
oval:ssg-test_64bit_ardm_fremovexattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fremovexattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fremovexattr
oval:ssg-test_32bit_ardm_fremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 32-bit fremovexattr
oval:ssg-test_32bit_ardm_fremovexattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fremovexattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit auditctl 64-bit fremovexattr
oval:ssg-test_64bit_ardm_fremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 64-bit fremovexattr
oval:ssg-test_64bit_ardm_fremovexattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fremovexattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr mediumCCE-83817-7
Record Events that Modify the System's Discretionary Access Controls - fsetxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fsetxattr:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83817-7 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.5 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033 | | app-srg-ctr | SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270 | | anssi | R73 | | ccn | A.3.SEC-RHEL7 | | cis | 6.3.3.9 | | pcidss4 | 10.3.4, 10.3 | | stigid | RHEL-09-654025 | | stigref | SV-258179r1069366_rule |
|
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
|
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83817-7
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit fsetxattr tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83817-7
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for fsetxattr for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
tags:
- CCE-83817-7
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for fsetxattr for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83817-7
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fsetxattr
oval:ssg-test_32bit_ardm_fsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 32-bit fsetxattr auid=0
oval:ssg-test_32bit_ardm_fsetxattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fsetxattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit augenrules 64-bit fsetxattr
oval:ssg-test_64bit_ardm_fsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 64-bit fsetxattr
oval:ssg-test_64bit_ardm_fsetxattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fsetxattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fsetxattr
oval:ssg-test_32bit_ardm_fsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 32-bit fsetxattr
oval:ssg-test_32bit_ardm_fsetxattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fsetxattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit auditctl 64-bit fsetxattr
oval:ssg-test_64bit_ardm_fsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 64-bit fsetxattr
oval:ssg-test_64bit_ardm_fsetxattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fsetxattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - lchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown mediumCCE-83833-4
Record Events that Modify the System's Discretionary Access Controls - lchown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_lchown:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83833-4 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.5 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219 | | app-srg-ctr | SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255 | | anssi | R73 | | ccn | A.3.SEC-RHEL7 | | cis | 6.3.3.9 | | pcidss4 | 10.3.4, 10.3 | | stigid | RHEL-09-654020 | | stigref | SV-258178r1045319_rule |
|
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit lchown
oval:ssg-test_32bit_ardm_lchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit augenrules 64-bit lchown
oval:ssg-test_64bit_ardm_lchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit lchown
oval:ssg-test_32bit_ardm_lchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit auditctl 64-bit lchown
oval:ssg-test_64bit_ardm_lchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - lremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr mediumCCE-83814-4
Record Events that Modify the System's Discretionary Access Controls - lremovexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_lremovexattr:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83814-4 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.5 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033 | | app-srg-ctr | SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270 | | anssi | R73 | | ccn | A.3.SEC-RHEL7 | | cis | 6.3.3.9 | | pcidss4 | 10.3.4, 10.3 | | stigid | RHEL-09-654025 | | stigref | SV-258179r1069366_rule |
|
| Description | At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
|
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83814-4
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit lremovexattr tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83814-4
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for lremovexattr for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
tags:
- CCE-83814-4
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for lremovexattr for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83814-4
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit lremovexattr
oval:ssg-test_32bit_ardm_lremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 32-bit lremovexattr auid=0
oval:ssg-test_32bit_ardm_lremovexattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lremovexattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit augenrules 64-bit lremovexattr
oval:ssg-test_64bit_ardm_lremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 64-bit lremovexattr
oval:ssg-test_64bit_ardm_lremovexattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lremovexattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit lremovexattr
oval:ssg-test_32bit_ardm_lremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 32-bit lremovexattr
oval:ssg-test_32bit_ardm_lremovexattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lremovexattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit auditctl 64-bit lremovexattr
oval:ssg-test_64bit_ardm_lremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 64-bit lremovexattr
oval:ssg-test_64bit_ardm_lremovexattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lremovexattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - lsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr mediumCCE-83808-6
Record Events that Modify the System's Discretionary Access Controls - lsetxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_lsetxattr:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83808-6 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.5 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033 | | app-srg-ctr | SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270 | | anssi | R73 | | ccn | A.3.SEC-RHEL7 | | cis | 6.3.3.9 | | pcidss4 | 10.3.4, 10.3 | | stigid | RHEL-09-654025 | | stigref | SV-258179r1069366_rule |
|
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
|
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83808-6
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit lsetxattr tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83808-6
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for lsetxattr for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
tags:
- CCE-83808-6
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for lsetxattr for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83808-6
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit lsetxattr
oval:ssg-test_32bit_ardm_lsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 32-bit lsetxattr auid=0
oval:ssg-test_32bit_ardm_lsetxattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lsetxattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit augenrules 64-bit lsetxattr
oval:ssg-test_64bit_ardm_lsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 64-bit lsetxattr
oval:ssg-test_64bit_ardm_lsetxattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lsetxattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit lsetxattr
oval:ssg-test_32bit_ardm_lsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 32-bit lsetxattr
oval:ssg-test_32bit_ardm_lsetxattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lsetxattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit auditctl 64-bit lsetxattr
oval:ssg-test_64bit_ardm_lsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 64-bit lsetxattr
oval:ssg-test_64bit_ardm_lsetxattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lsetxattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - removexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr mediumCCE-83807-8
Record Events that Modify the System's Discretionary Access Controls - removexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_removexattr:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83807-8 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.5 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033 | | app-srg-ctr | SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270 | | anssi | R73 | | ccn | A.3.SEC-RHEL7 | | cis | 6.3.3.9 | | pcidss4 | 10.3.4, 10.3 | | stigid | RHEL-09-654025 | | stigref | SV-258179r1069366_rule |
|
| Description | At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
|
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83807-8
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_removexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit removexattr tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83807-8
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_removexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for removexattr for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
tags:
- CCE-83807-8
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_removexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for removexattr for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83807-8
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_removexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit removexattr
oval:ssg-test_32bit_ardm_removexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_removexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 32-bit removexattr auid=0
oval:ssg-test_32bit_ardm_removexattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_removexattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit augenrules 64-bit removexattr
oval:ssg-test_64bit_ardm_removexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_removexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 64-bit removexattr
oval:ssg-test_64bit_ardm_removexattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_removexattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit removexattr
oval:ssg-test_32bit_ardm_removexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_removexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 32-bit removexattr
oval:ssg-test_32bit_ardm_removexattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_removexattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit auditctl 64-bit removexattr
oval:ssg-test_64bit_ardm_removexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_removexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 64-bit removexattr
oval:ssg-test_64bit_ardm_removexattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_removexattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - setxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr mediumCCE-83811-0
Record Events that Modify the System's Discretionary Access Controls - setxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_setxattr:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83811-0 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.5 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203 | | app-srg-ctr | SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235 | | anssi | R73 | | ccn | A.3.SEC-RHEL7 | | cis | 6.3.3.9 | | pcidss4 | 10.3.4, 10.3 | | stigid | RHEL-09-654025 | | stigref | SV-258179r1069366_rule |
|
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
|
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83811-0
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_setxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit setxattr tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83811-0
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_setxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for setxattr for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
tags:
- CCE-83811-0
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_setxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for setxattr for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F
key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83811-0
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_setxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit setxattr
oval:ssg-test_32bit_ardm_setxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 32-bit setxattr auid=0
oval:ssg-test_32bit_ardm_setxattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setxattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit augenrules 64-bit setxattr
oval:ssg-test_64bit_ardm_setxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 64-bit setxattr
oval:ssg-test_64bit_ardm_setxattr_augenrules_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setxattr_augenrules_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit setxattr
oval:ssg-test_32bit_ardm_setxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 32-bit setxattr
oval:ssg-test_32bit_ardm_setxattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setxattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit auditctl 64-bit setxattr
oval:ssg-test_64bit_ardm_setxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 64-bit setxattr
oval:ssg-test_64bit_ardm_setxattr_auditctl_auid_0:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setxattr_auditctl_auid_0:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - umountxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount mediumCCE-89272-9
Record Events that Modify the System's Discretionary Access Controls - umount
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_umount:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-89272-9 |
| References: | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000495-CTR-001235 | | stigid | RHEL-09-654205 | | stigref | SV-258215r1045430_rule |
|
| Description | At a minimum, the audit system should collect file system umount
changes. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit umount
oval:ssg-test_32bit_ardm_umount_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_umount_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+umount[\s]+|([\s]+|[,])umount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit umount
oval:ssg-test_32bit_ardm_umount_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_umount_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+umount[\s]+|([\s]+|[,])umount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - umount2xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount2 mediumCCE-88570-7
Record Events that Modify the System's Discretionary Access Controls - umount2
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount2 |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_umount2:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-88570-7 |
| References: | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000495-CTR-001235 | | anssi | R73 | | stigid | RHEL-09-654210 | | stigref | SV-258216r1045433_rule |
|
| Description | At a minimum, the audit system should collect file system umount2
changes. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
|
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit umount2
oval:ssg-test_32bit_ardm_umount2_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_umount2_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+umount2[\s]+|([\s]+|[,])umount2([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit augenrules 64-bit umount2
oval:ssg-test_64bit_ardm_umount2_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_umount2_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+umount2[\s]+|([\s]+|[,])umount2([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit umount2
oval:ssg-test_32bit_ardm_umount2_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_umount2_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+umount2[\s]+|([\s]+|[,])umount2([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit auditctl 64-bit umount2
oval:ssg-test_64bit_ardm_umount2_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_umount2_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+umount2[\s]+|([\s]+|[,])umount2([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Any Attempts to Run chaclxccdf_org.ssgproject.content_rule_audit_rules_execution_chacl mediumCCE-87685-4
Record Any Attempts to Run chacl
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_chacl |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_execution_chacl:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-87685-4 |
| References: | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255 | | cis | 6.3.3.17 | | stigid | RHEL-09-654035 | | stigref | SV-258181r1045328_rule |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.
Audit records can be generated from various components within the
information system (e.g., module or policy filter). |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules chacl
oval:ssg-test_audit_rules_execution_chacl_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_chacl_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chacl(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl chacl
oval:ssg-test_audit_rules_execution_chacl_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_chacl_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chacl(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Any Attempts to Run setfaclxccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl mediumCCE-90482-1
Record Any Attempts to Run setfacl
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_execution_setfacl:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-90482-1 |
| References: | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000495-CTR-001235 | | cis | 6.3.3.16 | | stigid | RHEL-09-654040 | | stigref | SV-258182r1045331_rule |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.
Audit records can be generated from various components within the
information system (e.g., module or policy filter). |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules setfacl
oval:ssg-test_audit_rules_execution_setfacl_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_setfacl_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/setfacl(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl setfacl
oval:ssg-test_audit_rules_execution_setfacl_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_setfacl_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/setfacl(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Any Attempts to Run chconxccdf_org.ssgproject.content_rule_audit_rules_execution_chcon mediumCCE-83748-4
Record Any Attempts to Run chcon
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_execution_chcon:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83748-4 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270 | | cis | 6.3.3.15 | | stigid | RHEL-09-654045 | | stigref | SV-258183r1045334_rule |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules chcon
oval:ssg-test_audit_rules_execution_chcon_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_chcon_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl chcon
oval:ssg-test_audit_rules_execution_chcon_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_chcon_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Any Attempts to Run semanagexccdf_org.ssgproject.content_rule_audit_rules_execution_semanage mediumCCE-83750-0
Record Any Attempts to Run semanage
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_execution_semanage:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83750-0 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250 | | stigid | RHEL-09-654050 | | stigref | SV-258184r1045337_rule |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules semanage
oval:ssg-test_audit_rules_execution_semanage_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_semanage_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl semanage
oval:ssg-test_audit_rules_execution_semanage_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_semanage_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Any Attempts to Run setfilesxccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles mediumCCE-83736-9
Record Any Attempts to Run setfiles
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_execution_setfiles:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83736-9 |
| References: | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250 | | stigid | RHEL-09-654055 | | stigref | SV-258185r1045340_rule |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules setfiles
oval:ssg-test_audit_rules_execution_setfiles_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_setfiles_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setfiles(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl setfiles
oval:ssg-test_audit_rules_execution_setfiles_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_setfiles_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setfiles(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Any Attempts to Run setseboolxccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool mediumCCE-83751-8
Record Any Attempts to Run setsebool
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_execution_setsebool:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83751-8 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250 | | stigid | RHEL-09-654060 | | stigref | SV-258186r1045343_rule |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules setsebool
oval:ssg-test_audit_rules_execution_setsebool_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_setsebool_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl setsebool
oval:ssg-test_audit_rules_execution_setsebool_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_setsebool_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects File Deletion Events by User - renamexccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename mediumCCE-83754-2
Ensure auditd Collects File Deletion Events by User - rename
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_file_deletion_events_rename:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83754-2 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.7 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270 | | anssi | R73 | | cis | 6.3.3.13 | | pcidss4 | 10.2.1.7, 10.2.1, 10.2 | | stigid | RHEL-09-654065 | | stigref | SV-258187r1045346_rule |
|
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
|
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit rename
oval:ssg-test_32bit_ardm_rename_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_rename_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit augenrules 64-bit rename
oval:ssg-test_64bit_ardm_rename_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_rename_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit rename
oval:ssg-test_32bit_ardm_rename_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_rename_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit auditctl 64-bit rename
oval:ssg-test_64bit_ardm_rename_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_rename_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects File Deletion Events by User - renameatxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat mediumCCE-83756-7
Ensure auditd Collects File Deletion Events by User - renameat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_file_deletion_events_renameat:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83756-7 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.7 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270 | | anssi | R73 | | cis | 6.3.3.13 | | pcidss4 | 10.2.1.7, 10.2.1, 10.2 | | stigid | RHEL-09-654065 | | stigref | SV-258187r1045346_rule |
|
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
|
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit renameat
oval:ssg-test_32bit_ardm_renameat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_renameat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit augenrules 64-bit renameat
oval:ssg-test_64bit_ardm_renameat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_renameat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit renameat
oval:ssg-test_32bit_ardm_renameat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_renameat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit auditctl 64-bit renameat
oval:ssg-test_64bit_ardm_renameat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_renameat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects File Deletion Events by User - rmdirxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir mediumCCE-83758-3
Ensure auditd Collects File Deletion Events by User - rmdir
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_file_deletion_events_rmdir:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83758-3 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.7 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270 | | anssi | R73 | | pcidss4 | 10.2.1.7, 10.2.1, 10.2 | | stigid | RHEL-09-654065 | | stigref | SV-258187r1045346_rule |
|
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
|
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit rmdir
oval:ssg-test_32bit_ardm_rmdir_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_rmdir_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit augenrules 64-bit rmdir
oval:ssg-test_64bit_ardm_rmdir_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_rmdir_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit rmdir
oval:ssg-test_32bit_ardm_rmdir_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_rmdir_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit auditctl 64-bit rmdir
oval:ssg-test_64bit_ardm_rmdir_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_rmdir_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects File Deletion Events by User - unlinkxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink mediumCCE-83757-5
Ensure auditd Collects File Deletion Events by User - unlink
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_file_deletion_events_unlink:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83757-5 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.7 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270 | | anssi | R73 | | cis | 6.3.3.13 | | pcidss4 | 10.2.1.7, 10.2.1, 10.2 | | stigid | RHEL-09-654065 | | stigref | SV-258187r1045346_rule |
|
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
|
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit unlink
oval:ssg-test_32bit_ardm_unlink_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_unlink_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit augenrules 64-bit unlink
oval:ssg-test_64bit_ardm_unlink_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_unlink_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit unlink
oval:ssg-test_32bit_ardm_unlink_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_unlink_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit auditctl 64-bit unlink
oval:ssg-test_64bit_ardm_unlink_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_unlink_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects File Deletion Events by User - unlinkatxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat mediumCCE-83755-9
Ensure auditd Collects File Deletion Events by User - unlinkat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_file_deletion_events_unlinkat:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83755-9 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.7 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270 | | anssi | R73 | | cis | 6.3.3.13 | | pcidss4 | 10.2.1.7, 10.2.1, 10.2 | | stigid | RHEL-09-654065 | | stigref | SV-258187r1045346_rule |
|
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit
system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
|
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit unlinkat
oval:ssg-test_32bit_ardm_unlinkat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_unlinkat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit augenrules 64-bit unlinkat
oval:ssg-test_64bit_ardm_unlinkat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_unlinkat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit unlinkat
oval:ssg-test_32bit_ardm_unlinkat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_unlinkat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit auditctl 64-bit unlinkat
oval:ssg-test_64bit_ardm_unlinkat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_unlinkat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Unsuccessful Access Attempts to Files - creatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat mediumCCE-83786-4
Record Unsuccessful Access Attempts to Files - creat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_creat:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83786-4 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.4, Req-10.2.1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205 | | app-srg-ctr | SRG-APP-000495-CTR-001235 | | anssi | R73 | | ccn | A.3.SEC-RHEL9 | | cis | 6.3.3.7 | | stigid | RHEL-09-654070 | | stigref | SV-258188r1045349_rule |
|
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
|
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83786-4
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_creat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit creat tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83786-4
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_creat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for creat EACCES for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
tags:
- CCE-83786-4
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_creat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for creat EACCES for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
- audit_arch == "b64"
tags:
- CCE-83786-4
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_creat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for creat EPERM for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
tags:
- CCE-83786-4
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_creat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for creat EPERM for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
- audit_arch == "b64"
tags:
- CCE-83786-4
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_creat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_creat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_creat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_creat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_creat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_creat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_creat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_creat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_creat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_creat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_creat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_creat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_creat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_creat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_creat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_creat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_creat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Access Attempts to Files - ftruncatexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate mediumCCE-83800-3
Record Unsuccessful Access Attempts to Files - ftruncate
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_ftruncate:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83800-3 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.4, Req-10.2.1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205 | | app-srg-ctr | SRG-APP-000495-CTR-001235 | | anssi | R73 | | ccn | A.3.SEC-RHEL9 | | cis | 6.3.3.7 | | stigid | RHEL-09-654070 | | stigref | SV-258188r1045349_rule |
|
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
|
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83800-3
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_ftruncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit ftruncate tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83800-3
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_ftruncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for ftruncate EACCES for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
tags:
- CCE-83800-3
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_ftruncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for ftruncate EACCES for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83800-3
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_ftruncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for ftruncate EPERM for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
tags:
- CCE-83800-3
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_ftruncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for ftruncate EPERM for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83800-3
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_ftruncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_ftruncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_ftruncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_ftruncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_ftruncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_ftruncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_ftruncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_ftruncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_ftruncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_ftruncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_ftruncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_ftruncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_ftruncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_ftruncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_ftruncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_ftruncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_ftruncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Access Attempts to Files - openxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open mediumCCE-83801-1
Record Unsuccessful Access Attempts to Files - open
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_open:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83801-1 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.4, Req-10.2.1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205 | | app-srg-ctr | SRG-APP-000495-CTR-001235 | | anssi | R73 | | ccn | A.3.SEC-RHEL9 | | cis | 6.3.3.7 | | stigid | RHEL-09-654070 | | stigref | SV-258188r1045349_rule |
|
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
|
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83801-1
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_open
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit open tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83801-1
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_open
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for open EACCES for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
tags:
- CCE-83801-1
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_open
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for open EACCES for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
- audit_arch == "b64"
tags:
- CCE-83801-1
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_open
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for open EPERM for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
tags:
- CCE-83801-1
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_open
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for open EPERM for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
- audit_arch == "b64"
tags:
- CCE-83801-1
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_open
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_open_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_open_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_open_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_open_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_open_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_open_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_open_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_open_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_open_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_open_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_open_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_open_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_open_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_open_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_open_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_open_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Access Attempts to Files - open_by_handle_atxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at mediumCCE-83796-3
Record Unsuccessful Access Attempts to Files - open_by_handle_at
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83796-3 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.4, Req-10.2.1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205 | | app-srg-ctr | SRG-APP-000495-CTR-001235 | | stigid | RHEL-09-654070 | | stigref | SV-258188r1045349_rule |
|
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
|
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83796-3
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_open_by_handle_at
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit open_by_handle_at tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83796-3
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_open_by_handle_at
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for open_by_handle_at EACCES for 32bit
platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- open_by_handle_at
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open_by_handle_at in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- open_by_handle_at
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open_by_handle_at in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
tags:
- CCE-83796-3
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_open_by_handle_at
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for open_by_handle_at EACCES for 64bit
platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- open_by_handle_at
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open_by_handle_at in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- open_by_handle_at
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open_by_handle_at in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83796-3
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_open_by_handle_at
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for open_by_handle_at EPERM for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- open_by_handle_at
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open_by_handle_at in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- open_by_handle_at
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open_by_handle_at in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
tags:
- CCE-83796-3
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_open_by_handle_at
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for open_by_handle_at EPERM for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- open_by_handle_at
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open_by_handle_at in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- open_by_handle_at
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open_by_handle_at in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83796-3
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_open_by_handle_at
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_open_by_handle_at_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_open_by_handle_at_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_open_by_handle_at_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_open_by_handle_at_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_open_by_handle_at_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_open_by_handle_at_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_open_by_handle_at_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_open_by_handle_at_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_open_by_handle_at_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_open_by_handle_at_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_open_by_handle_at_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_open_by_handle_at_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_open_by_handle_at_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_open_by_handle_at_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_open_by_handle_at_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_open_by_handle_at_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Access Attempts to Files - openatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat mediumCCE-83794-8
Record Unsuccessful Access Attempts to Files - openat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_openat:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83794-8 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.4, Req-10.2.1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205 | | app-srg-ctr | SRG-APP-000495-CTR-001235 | | anssi | R73 | | ccn | A.3.SEC-RHEL9 | | cis | 6.3.3.7 | | stigid | RHEL-09-654070 | | stigref | SV-258188r1045349_rule |
|
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
|
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83794-8
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_openat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit openat tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83794-8
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_openat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for openat EACCES for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
tags:
- CCE-83794-8
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_openat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for openat EACCES for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83794-8
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_openat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for openat EPERM for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
tags:
- CCE-83794-8
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_openat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for openat EPERM for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83794-8
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_openat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_openat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_openat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_openat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_openat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_openat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_openat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_openat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_openat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_openat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_openat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_openat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_openat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_openat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_openat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_openat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_openat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Access Attempts to Files - truncatexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate mediumCCE-83792-2
Record Unsuccessful Access Attempts to Files - truncate
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_truncate:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83792-2 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.4, Req-10.2.1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205 | | app-srg-ctr | SRG-APP-000495-CTR-001235 | | anssi | R73 | | ccn | A.3.SEC-RHEL9 | | cis | 6.3.3.7 | | stigid | RHEL-09-654070 | | stigref | SV-258188r1045349_rule |
|
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
|
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
Remediation Ansible snippet ⇲| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Reboot: | true |
|---|
| Strategy: | restrict |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83792-2
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_truncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit truncate tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83792-2
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_truncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for truncate EACCES for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
tags:
- CCE-83792-2
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_truncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for truncate EACCES for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83792-2
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_truncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for truncate EPERM for 32bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
tags:
- CCE-83792-2
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_truncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for truncate EPERM for 64bit platform
block:
- name: Declare list of syscalls
set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/rules.d/
find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
:[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
| map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
| last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/audit.rules
find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
|,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
| list }}"
- name: Declare missing syscalls
set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset
(?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM
-F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83792-2
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_truncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_truncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_truncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_truncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_truncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_truncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_truncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_truncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_truncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_truncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_truncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_truncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_truncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_truncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_truncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_truncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_truncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Ensure auditd Collects Information on Kernel Module Unloading - delete_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete mediumCCE-83802-9
Ensure auditd Collects Information on Kernel Module Unloading - delete_module
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_kernel_module_loading_delete:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83802-9 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.7 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000504-CTR-001280 | | anssi | R73 | | cis | 6.3.3.19 | | stigid | RHEL-09-654075 | | stigref | SV-258189r1045352_rule |
|
| Description | To capture kernel module unloading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules. |
| Rationale | The removal of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel. |
|
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit delete_module
oval:ssg-test_32bit_ardm_delete_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_delete_module_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit augenrules 64-bit delete_module
oval:ssg-test_64bit_ardm_delete_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_delete_module_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit delete_module
oval:ssg-test_32bit_ardm_delete_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_delete_module_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit auditctl 64-bit delete_module
oval:ssg-test_64bit_ardm_delete_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_delete_module_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit mediumCCE-83803-7
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_kernel_module_loading_finit:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83803-7 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.7 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000504-CTR-001280 | | anssi | R73 | | cis | 6.3.3.19 | | stigid | RHEL-09-654080 | | stigref | SV-258190r1045355_rule |
|
| Description | If the auditd daemon is configured to use the augenrules program
to read audit rules during daemon startup (the default), add the following lines to a file
with suffix .rules in the directory /etc/audit/rules.d to capture kernel module
loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
If the auditd daemon is configured to use the auditctl utility to read audit
rules during daemon startup, add the following lines to /etc/audit/audit.rules file
in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
|
| Rationale | The addition/removal of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel. |
|
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit finit_module
oval:ssg-test_32bit_ardm_finit_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_finit_module_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit augenrules 64-bit finit_module
oval:ssg-test_64bit_ardm_finit_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_finit_module_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit finit_module
oval:ssg-test_32bit_ardm_finit_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_finit_module_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit auditctl 64-bit finit_module
oval:ssg-test_64bit_ardm_finit_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_finit_module_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on Kernel Module Loading - init_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init mediumCCE-90835-0
Ensure auditd Collects Information on Kernel Module Loading - init_module
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_kernel_module_loading_init:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-90835-0 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.7 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000504-CTR-001280 | | anssi | R73 | | cis | 6.3.3.19 | | stigid | RHEL-09-654080 | | stigref | SV-258190r1045355_rule |
|
| Description | To capture kernel module loading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules. |
| Rationale | The addition of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel. |
|
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit init_module
oval:ssg-test_32bit_ardm_init_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_init_module_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit augenrules 64-bit init_module
oval:ssg-test_64bit_ardm_init_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_init_module_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit init_module
oval:ssg-test_32bit_ardm_init_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_init_module_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| true | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| false | x86_64 | DESKTOP-RNCU7UO.attlocal.net | Linux | 5.14.0-570.44.1.el9_6.x86_64 | #1 SMP PREEMPT_DYNAMIC Tue Sep 9 05:17:30 EDT 2025 | x86_64 |
audit auditctl 64-bit init_module
oval:ssg-test_64bit_ardm_init_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_init_module_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Attempts to Alter Logon and Logout Events - faillockxccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock mediumCCE-83783-1
Record Attempts to Alter Logon and Logout Events - faillock
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_login_events_faillock:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83783-1 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.3 | | os-srg | SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218 | | app-srg-ctr | SRG-APP-000503-CTR-001275, SRG-APP-000506-CTR-001290 | | anssi | R73 | | ccn | A.3.SEC-RHEL1 | | cis | 6.3.3.12 | | pcidss4 | 10.2.1.3, 10.2.1, 10.2 | | stigid | RHEL-09-654250 | | stigref | SV-258224r1014988_rule |
|
| Description | The audit system already collects login information for all users
and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /var/log/faillock -p wa -k logins
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:
-w /var/log/faillock -p wa -k logins
|
| Rationale | Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules var_accounts_passwords_pam_faillock_dir
oval:ssg-test_audit_rules_login_events_faillock_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_login_events_faillock_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /var/log/faillock | | ^\-w[\s]+/var/log/faillock[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl var_accounts_passwords_pam_faillock_dir
oval:ssg-test_audit_rules_login_events_faillock_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_login_events_faillock_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /var/log/faillock | | ^\-w[\s]+/var/log/faillock[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ |
| /etc/audit/audit.rules | 1 |
Record Attempts to Alter Logon and Logout Events - lastlogxccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog mediumCCE-83785-6
Record Attempts to Alter Logon and Logout Events - lastlog
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_login_events_lastlog:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83785-6 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.3 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000470-GPOS-00214 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000503-CTR-001275, SRG-APP-000506-CTR-001290 | | anssi | R73 | | ccn | A.3.SEC-RHEL1 | | cis | 6.3.3.12 | | pcidss4 | 10.2.1.3, 10.2.1, 10.2 | | stigid | RHEL-09-654255 | | stigref | SV-258225r1014990_rule |
|
| Description | The audit system already collects login information for all users
and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:
-w /var/log/lastlog -p wa -k logins
|
| Rationale | Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules lastlog
oval:ssg-test_audit_rules_login_events_lastlog_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_login_events_lastlog_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/var\/log\/lastlog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl lastlog
oval:ssg-test_audit_rules_login_events_lastlog_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_login_events_lastlog_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/var\/log\/lastlog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | /etc/audit/audit.rules | 1 |
Record Attempts to Alter Logon and Logout Events - tallylogxccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog mediumCCE-83782-3
Record Attempts to Alter Logon and Logout Events - tallylog
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_login_events_tallylog:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83782-3 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.3 | | os-srg | SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218 | | app-srg-ctr | SRG-APP-000503-CTR-001275 | | pcidss4 | 10.2.1.3, 10.2.1, 10.2 | | stigid | RHEL-09-654260 | | stigref | SV-258226r958846_rule |
|
| Description | The audit system already collects login information for all users
and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /var/log/tallylog -p wa -k logins
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:
-w /var/log/tallylog -p wa -k logins
|
| Rationale | Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules tallylog
oval:ssg-test_audit_rules_login_events_tallylog_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_login_events_tallylog_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/var\/log\/tallylog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl tallylog
oval:ssg-test_audit_rules_login_events_tallylog_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_login_events_tallylog_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/var\/log\/tallylog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | /etc/audit/audit.rules | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - initxccdf_org.ssgproject.content_rule_audit_privileged_commands_init mediumCCE-85956-1
Ensure auditd Collects Information on the Use of Privileged Commands - init
| Rule ID | xccdf_org.ssgproject.content_rule_audit_privileged_commands_init |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_privileged_commands_init:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-85956-1 |
| References: | |
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of the init command may cause availability issues for the system. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules init
oval:ssg-test_audit_privileged_commands_init_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_privileged_commands_init_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/init(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl init
oval:ssg-test_audit_privileged_commands_init_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_privileged_commands_init_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/init(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - poweroffxccdf_org.ssgproject.content_rule_audit_privileged_commands_poweroff mediumCCE-85957-9
Ensure auditd Collects Information on the Use of Privileged Commands - poweroff
| Rule ID | xccdf_org.ssgproject.content_rule_audit_privileged_commands_poweroff |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_privileged_commands_poweroff:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-85957-9 |
| References: | |
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of the poweroff command may cause availability issues for the system. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules poweroff
oval:ssg-test_audit_privileged_commands_poweroff_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_privileged_commands_poweroff_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/poweroff(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl poweroff
oval:ssg-test_audit_privileged_commands_poweroff_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_privileged_commands_poweroff_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/poweroff(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - rebootxccdf_org.ssgproject.content_rule_audit_privileged_commands_reboot mediumCCE-85958-7
Ensure auditd Collects Information on the Use of Privileged Commands - reboot
| Rule ID | xccdf_org.ssgproject.content_rule_audit_privileged_commands_reboot |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_privileged_commands_reboot:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-85958-7 |
| References: | |
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of the reboot command may cause availability issues for the system. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules reboot
oval:ssg-test_audit_privileged_commands_reboot_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_privileged_commands_reboot_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/reboot(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl reboot
oval:ssg-test_audit_privileged_commands_reboot_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_privileged_commands_reboot_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/reboot(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - shutdownxccdf_org.ssgproject.content_rule_audit_privileged_commands_shutdown mediumCCE-85959-5
Ensure auditd Collects Information on the Use of Privileged Commands - shutdown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_privileged_commands_shutdown |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_privileged_commands_shutdown:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-85959-5 |
| References: | |
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of the shutdown command may cause availability issues for the system. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules shutdown
oval:ssg-test_audit_privileged_commands_shutdown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_privileged_commands_shutdown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/shutdown(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl shutdown
oval:ssg-test_audit_privileged_commands_shutdown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_privileged_commands_shutdown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/shutdown(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - chagexccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage mediumCCE-83765-8
Ensure auditd Collects Information on the Use of Privileged Commands - chage
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_chage:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83765-8 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270 | | stigid | RHEL-09-654085 | | stigref | SV-258191r1045358_rule |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules chage
oval:ssg-test_audit_rules_privileged_commands_chage_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_chage_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chage(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl chage
oval:ssg-test_audit_rules_privileged_commands_chage_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_chage_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chage(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - chshxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh mediumCCE-83763-3
Ensure auditd Collects Information on the Use of Privileged Commands - chsh
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_chsh:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83763-3 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000495-CTR-001235 | | stigid | RHEL-09-654090 | | stigref | SV-258192r1045361_rule |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules chsh
oval:ssg-test_audit_rules_privileged_commands_chsh_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_chsh_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chsh(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl chsh
oval:ssg-test_audit_rules_privileged_commands_chsh_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_chsh_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chsh(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - crontabxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab mediumCCE-83761-7
Ensure auditd Collects Information on the Use of Privileged Commands - crontab
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_crontab:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83761-7 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000495-CTR-001235 | | stigid | RHEL-09-654095 | | stigref | SV-258193r1045364_rule |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules crontab
oval:ssg-test_audit_rules_privileged_commands_crontab_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_crontab_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/crontab(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl crontab
oval:ssg-test_audit_rules_privileged_commands_crontab_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_crontab_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/crontab(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd mediumCCE-83773-2
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_gpasswd:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83773-2 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235 | | stigid | RHEL-09-654100 | | stigref | SV-258194r1045367_rule |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules gpasswd
oval:ssg-test_audit_rules_privileged_commands_gpasswd_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_gpasswd_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/gpasswd(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl gpasswd
oval:ssg-test_audit_rules_privileged_commands_gpasswd_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_gpasswd_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/gpasswd(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - kmodxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod mediumCCE-90262-7
Ensure auditd Collects Information on the Use of Privileged Commands - kmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_kmod:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-90262-7 |
| References: | | nist | AU-3, AU-3.1, AU-12(a), AU-12.1(ii), AU-12.1(iv)AU-12(c), MA-4(1)(a) | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000504-CTR-001280 | | anssi | R73 | | cis | 6.3.3.19 | | stigid | RHEL-09-654105 | | stigref | SV-258195r1045370_rule |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.
Audit records can be generated from various components within the
information system (e.g., module or policy filter). |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules kmod
oval:ssg-test_audit_rules_privileged_commands_kmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_kmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/kmod(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl kmod
oval:ssg-test_audit_rules_privileged_commands_kmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_kmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/kmod(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - mountxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount mediumCCE-89564-9
Ensure auditd Collects Information on the Use of Privileged Commands - mount
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_mount:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-89564-9 |
| References: | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000029-CTR-000085 | | stigid | RHEL-09-654180 | | stigref | SV-258210r1045415_rule |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules mount
oval:ssg-test_audit_rules_privileged_commands_mount_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_mount_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/mount(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl mount
oval:ssg-test_audit_rules_privileged_commands_mount_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_mount_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/mount(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - newgrpxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp mediumCCE-83766-6
Ensure auditd Collects Information on the Use of Privileged Commands - newgrp
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_newgrp:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83766-6 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235 | | stigid | RHEL-09-654110 | | stigref | SV-258196r1045373_rule |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules newgrp
oval:ssg-test_audit_rules_privileged_commands_newgrp_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_newgrp_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgrp(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl newgrp
oval:ssg-test_audit_rules_privileged_commands_newgrp_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_newgrp_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgrp(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_checkxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check mediumCCE-83767-4
Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_pam_timestamp_check:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83767-4 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235 | | stigid | RHEL-09-654115 | | stigref | SV-258197r1045376_rule |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules pam_timestamp_check
oval:ssg-test_audit_rules_privileged_commands_pam_timestamp_check_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_pam_timestamp_check_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/pam_timestamp_check(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl pam_timestamp_check
oval:ssg-test_audit_rules_privileged_commands_pam_timestamp_check_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_pam_timestamp_check_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/pam_timestamp_check(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - passwdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd mediumCCE-83781-5
Ensure auditd Collects Information on the Use of Privileged Commands - passwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_passwd:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83781-5 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235 | | stigid | RHEL-09-654120 | | stigref | SV-258198r1045379_rule |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules passwd
oval:ssg-test_audit_rules_privileged_commands_passwd_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_passwd_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/passwd(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl passwd
oval:ssg-test_audit_rules_privileged_commands_passwd_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_passwd_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/passwd(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - postdropxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop mediumCCE-83769-0
Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_postdrop:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83769-0 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000495-CTR-001235 | | stigid | RHEL-09-654125 | | stigref | SV-258199r1045382_rule |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules postdrop
oval:ssg-test_audit_rules_privileged_commands_postdrop_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_postdrop_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postdrop(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl postdrop
oval:ssg-test_audit_rules_privileged_commands_postdrop_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_postdrop_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postdrop(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - postqueuexccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue mediumCCE-83770-8
Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_postqueue:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83770-8 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000495-CTR-001235 | | stigid | RHEL-09-654130 | | stigref | SV-258200r1045385_rule |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules postqueue
oval:ssg-test_audit_rules_privileged_commands_postqueue_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_postqueue_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postqueue(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl postqueue
oval:ssg-test_audit_rules_privileged_commands_postqueue_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_postqueue_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postqueue(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Any Attempts to Run ssh-agentxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_agent mediumCCE-90388-0
Record Any Attempts to Run ssh-agent
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_agent |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_ssh_agent:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-90388-0 |
| References: | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000495-CTR-001235 | | stigid | RHEL-09-654135 | | stigref | SV-258201r1045388_rule |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.
Audit records can be generated from various components within the
information system (e.g., module or policy filter). |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules ssh_agent
oval:ssg-test_audit_rules_privileged_commands_ssh_agent_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_ssh_agent_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/ssh-agent(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl ssh_agent
oval:ssg-test_audit_rules_privileged_commands_ssh_agent_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_ssh_agent_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/ssh-agent(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysignxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign mediumCCE-83776-5
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_ssh_keysign:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83776-5 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235 | | stigid | RHEL-09-654140 | | stigref | SV-258202r1045391_rule |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules ssh_keysign
oval:ssg-test_audit_rules_privileged_commands_ssh_keysign_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_ssh_keysign_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl ssh_keysign
oval:ssg-test_audit_rules_privileged_commands_ssh_keysign_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_ssh_keysign_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - suxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su mediumCCE-83771-6
Ensure auditd Collects Information on the Use of Privileged Commands - su
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_su:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83771-6 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000755-GPOS-00220 | | app-srg-ctr | SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255 | | stigid | RHEL-09-654145 | | stigref | SV-258203r1045394_rule |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules su
oval:ssg-test_audit_rules_privileged_commands_su_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_su_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/su(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl su
oval:ssg-test_audit_rules_privileged_commands_su_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_su_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/su(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - sudoxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo mediumCCE-83780-7
Ensure auditd Collects Information on the Use of Privileged Commands - sudo
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_sudo:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83780-7 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000755-GPOS-00220 | | app-srg-ctr | SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255 | | anssi | R33 | | stigid | RHEL-09-654150 | | stigref | SV-258204r1045397_rule |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules sudo
oval:ssg-test_audit_rules_privileged_commands_sudo_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_sudo_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudo(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl sudo
oval:ssg-test_audit_rules_privileged_commands_sudo_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_sudo_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudo(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - sudoeditxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit mediumCCE-83764-1
Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_sudoedit:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83764-1 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000755-GPOS-00220 | | app-srg-ctr | SRG-APP-000495-CTR-001235 | | stigid | RHEL-09-654155 | | stigref | SV-258205r1045400_rule |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules sudoedit
oval:ssg-test_audit_rules_privileged_commands_sudoedit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_sudoedit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudoedit(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl sudoedit
oval:ssg-test_audit_rules_privileged_commands_sudoedit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_sudoedit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudoedit(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - umountxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount mediumCCE-83762-5
Ensure auditd Collects Information on the Use of Privileged Commands - umount
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_umount:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83762-5 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000029-CTR-000085 | | stigid | RHEL-09-654030 | | stigref | SV-258180r1045325_rule |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules umount
oval:ssg-test_audit_rules_privileged_commands_umount_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_umount_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/umount(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl umount
oval:ssg-test_audit_rules_privileged_commands_umount_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_umount_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/umount(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd mediumCCE-83768-2
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_unix_chkpwd:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83768-2 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R6.5 | | nist | AC-2(4), AU-2(d), AU-3, AU-3.1, AU-12(a), AU-12(c), AU-12.1(ii), AU-12.1(iv), AC-6(9), CM-6(a), MA-4(1)(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235 | | stigid | RHEL-09-654160 | | stigref | SV-258206r1045403_rule |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules unix_chkpwd
oval:ssg-test_audit_rules_privileged_commands_unix_chkpwd_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_unix_chkpwd_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/unix_chkpwd(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl unix_chkpwd
oval:ssg-test_audit_rules_privileged_commands_unix_chkpwd_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_unix_chkpwd_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/unix_chkpwd(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - unix_updatexccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_update mediumCCE-89481-6
Ensure auditd Collects Information on the Use of Privileged Commands - unix_update
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_update |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_unix_update:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-89481-6 |
| References: | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000495-CTR-001235 | | stigid | RHEL-09-654165 | | stigref | SV-258207r1045406_rule |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules unix_update
oval:ssg-test_audit_rules_privileged_commands_unix_update_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_unix_update_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/unix_update(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl unix_update
oval:ssg-test_audit_rules_privileged_commands_unix_update_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_unix_update_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/unix_update(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - userhelperxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper mediumCCE-83760-9
Ensure auditd Collects Information on the Use of Privileged Commands - userhelper
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_userhelper:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83760-9 |
| References: | | cis-csc | 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2 | | nist | AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | app-srg-ctr | SRG-APP-000495-CTR-001235 | | stigid | RHEL-09-654170 | | stigref | SV-258208r1045409_rule |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules userhelper
oval:ssg-test_audit_rules_privileged_commands_userhelper_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_userhelper_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/userhelper(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl userhelper
oval:ssg-test_audit_rules_privileged_commands_userhelper_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_userhelper_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/userhelper(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - usermodxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usermod mediumCCE-87212-7
Ensure auditd Collects Information on the Use of Privileged Commands - usermod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usermod |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_usermod:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-87212-7 |
| References: | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255 | | cis | 6.3.3.18 | | stigid | RHEL-09-654175 | | stigref | SV-258209r1045412_rule |
|
| Description |
At a minimum, the audit system should collect the execution of privileged
commands for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add
a line of the following form to a file with suffix .rules
in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the
following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules usermod
oval:ssg-test_audit_rules_privileged_commands_usermod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_usermod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/usermod(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl usermod
oval:ssg-test_audit_rules_privileged_commands_usermod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_usermod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/usermod(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Make the auditd Configuration Immutablexccdf_org.ssgproject.content_rule_audit_rules_immutable mediumCCE-83716-1
Make the auditd Configuration Immutable
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_immutable |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_immutable:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83716-1 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8 | | cjis | 5.4.1.1 | | cobit5 | APO01.06, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.3.1, 3.4.3 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.310(a)(2)(iv), 164.312(d), 164.310(d)(2)(iii), 164.312(b), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.2 | | os-srg | SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029 | | app-srg-ctr | SRG-APP-000119-CTR-000245, SRG-APP-000120-CTR-000250 | | anssi | R73 | | cis | 6.3.3.20 | | pcidss4 | 10.3.2, 10.3 | | stigid | RHEL-09-654275 | | stigref | SV-258229r958434_rule |
|
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d in order to make the auditd configuration
immutable:
-e 2
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file in order to make the auditd configuration
immutable:
-e 2
With this setting, a reboot will be required to change any audit rules. |
| Rationale | Making the audit configuration immutable prevents accidental as
well as malicious modification of the audit rules, although it may be
problematic if legitimate changes are needed during system
operation. |
|
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules configuration locked
oval:ssg-test_ari_locked_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_ari_locked_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-e\s+2\s*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl configuration locked
oval:ssg-test_ari_locked_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_ari_locked_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-e\s+2\s*$ | 1 |
Ensure auditd Collects System Administrator Actions - /etc/sudoersxccdf_org.ssgproject.content_rule_audit_rules_sudoers mediumCCE-90176-9
Ensure auditd Collects System Administrator Actions - /etc/sudoers
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_sudoers |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_sudoers:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-90176-9 |
| References: | | os-srg | SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275 | | stigid | RHEL-09-654215 | | stigref | SV-258217r1045436_rule |
|
| Description | At a minimum, the audit system should collect administrator actions
for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/sudoers -p wa -k actions
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:
-w /etc/sudoers -p wa -k actions
|
| Rationale | The actions taken by system administrators should be audited to keep a record
of what was executed on the system, as well as, for accountability purposes.
Editing the sudoers file may be sign of an attacker trying to
establish persistent methods to a system, auditing the editing of the sudoers
files mitigates this risk. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules sudoers
oval:ssg-test_audit_rules_sudoers_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_sudoers_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl sudoers
oval:ssg-test_audit_rules_sudoers_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_sudoers_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | /etc/audit/audit.rules | 1 |
Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d mediumCCE-89498-0
Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_sudoers_d:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-89498-0 |
| References: | | os-srg | SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275 | | stigid | RHEL-09-654220 | | stigref | SV-258218r1045439_rule |
|
| Description | At a minimum, the audit system should collect administrator actions
for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:
-w /etc/sudoers.d/ -p wa -k actions
|
| Rationale | The actions taken by system administrators should be audited to keep a record
of what was executed on the system, as well as, for accountability purposes.
Editing the sudoers file may be sign of an attacker trying to
establish persistent methods to a system, auditing the editing of the sudoers
files mitigates this risk. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules sudoers_d
oval:ssg-test_audit_rules_sudoers_d_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_sudoers_d_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/sudoers.d\/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl sudoers_d
oval:ssg-test_audit_rules_sudoers_d_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_sudoers_d_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/sudoers.d\/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | /etc/audit/audit.rules | 1 |
Record Events When Privileged Executables Are Runxccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function mediumCCE-86402-5
Record Events When Privileged Executables Are Run
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_suid_privilege_function:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-86402-5 |
| References: | | nist | CM-5(1), AU-7(a), AU-7(b), AU-8(b), AU-12(3), AC-6(9) | | os-srg | SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127, SRG-OS-000755-GPOS-00220 | | app-srg-ctr | SRG-APP-000343-CTR-000780, SRG-APP-000381-CTR-000905 | | pcidss4 | 10.2.1.2, 10.2.1, 10.2 | | stigid | RHEL-09-654010 | | stigref | SV-258176r1045313_rule |
|
| Description | Verify the system generates an audit record when privileged functions are executed.
If audit is using the "auditctl" tool to load the rules, run the following command:
$ sudo grep execve /etc/audit/audit.rules
If audit is using the "augenrules" tool to load the rules, run the following command:
$ sudo grep -r execve /etc/audit/rules.d
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding.
If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding. |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have
compromised information system accounts, is a serious and ongoing concern
and can have significant adverse impacts on organizations. Auditing the use
of privileged functions is one way to detect such misuse and identify the
risk from insider threats and the advanced persistent threat. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. |
|
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit uid privileged function
oval:ssg-test_32bit_uid_privileged_function_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_uid_privileged_function_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 64-bit uid privileged function
oval:ssg-test_64bit_uid_privileged_function_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_uid_privileged_function_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 32-bit gid privileged function
oval:ssg-test_32bit_gid_privileged_function_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_gid_privileged_function_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit augenrules 64-bit gid privileged function
oval:ssg-test_64bit_gid_privileged_function_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_gid_privileged_function_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit uid privileged function
oval:ssg-test_32bit_uid_privileged_function_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_uid_privileged_function_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 64-bit uid privileged_function
oval:ssg-test_64bit_uid_privileged_function_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_uid_privileged_function_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 32-bit gid privileged function
oval:ssg-test_32bit_gid_privileged_function_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_gid_privileged_function_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl 64-bit gid privileged_function
oval:ssg-test_64bit_gid_privileged_function_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_gid_privileged_function_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Shutdown System When Auditing Failures Occurxccdf_org.ssgproject.content_rule_audit_rules_system_shutdown mediumCCE-83709-6
Shutdown System When Auditing Failures Occur
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_system_shutdown:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83709-6 |
| References: | | cis-csc | 1, 14, 15, 16, 3, 5, 6 | | cobit5 | APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01 | | cui | 3.3.1, 3.3.4 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9 | | iso27001-2013 | A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1 | | nist | AU-5(b), SC-24, CM-6(a) | | nist-csf | PR.PT-1 | | os-srg | SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023 | | stigid | RHEL-09-654265 | | stigref | SV-258227r1014992_rule |
|
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to to the bottom of a file with suffix
.rules in the directory /etc/audit/rules.d:
-f 2
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to the
bottom of the /etc/audit/audit.rules file:
-f 2
|
| Rationale | It is critical for the appropriate personnel to be aware if a system
is at risk of failing to process audit logs as required. Without this
notification, the security personnel may be unaware of an impending failure of
the audit capability, and system operation may be adversely affected.
Audit processing failures include software/hardware errors, failures in the
audit capturing mechanisms, and audit storage capacity being reached or
exceeded. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules configuration shutdown
oval:ssg-test_ars_shutdown_augenrules:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/audit/rules.d/audit.rules | -f 1
|
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl configuration shutdown
oval:ssg-test_ars_shutdown_auditctl:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/audit/audit.rules | -f 1 |
Record Events that Modify User/Group Information - /etc/groupxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group mediumCCE-83722-9
Record Events that Modify User/Group Information - /etc/group
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_usergroup_modification_group:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83722-9 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.5 | | os-srg | SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275 | | anssi | R73 | | ccn | A.3.SEC-RHEL7 | | cis | 6.3.3.8 | | pcidss4 | 10.2.1.5, 10.2.1, 10.2 | | stigid | RHEL-09-654225 | | stigref | SV-258219r1015130_rule |
|
| Description |
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/group -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:
-w /etc/group -p wa -k audit_rules_usergroup_modification
|
| Rationale | In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules group
oval:ssg-test_audit_rules_usergroup_modification_group_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_group_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl group
oval:ssg-test_audit_rules_usergroup_modification_group_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_group_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information - /etc/gshadowxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow mediumCCE-83723-7
Record Events that Modify User/Group Information - /etc/gshadow
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_usergroup_modification_gshadow:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83723-7 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.5 | | os-srg | SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275 | | anssi | R73 | | ccn | A.3.SEC-RHEL7 | | cis | 6.3.3.8 | | pcidss4 | 10.2.1.5, 10.2.1, 10.2 | | stigid | RHEL-09-654230 | | stigref | SV-258220r1015131_rule |
|
| Description |
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
|
| Rationale | In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules gshadow
oval:ssg-test_audit_rules_usergroup_modification_gshadow_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_gshadow_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl gshadow
oval:ssg-test_audit_rules_usergroup_modification_gshadow_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_gshadow_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information - /etc/security/opasswdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd mediumCCE-83712-0
Record Events that Modify User/Group Information - /etc/security/opasswd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_usergroup_modification_opasswd:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83712-0 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.5 | | os-srg | SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000503-CTR-001275 | | anssi | R73 | | ccn | A.3.SEC-RHEL7 | | cis | 6.3.3.8 | | pcidss4 | 10.2.1.5, 10.2.1, 10.2 | | stigid | RHEL-09-654235 | | stigref | SV-258221r1015132_rule |
|
| Description |
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
|
| Rationale | In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules opasswd
oval:ssg-test_audit_rules_usergroup_modification_opasswd_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_opasswd_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/security\/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl opasswd
oval:ssg-test_audit_rules_usergroup_modification_opasswd_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_opasswd_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/security\/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information - /etc/passwdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd mediumCCE-83714-6
Record Events that Modify User/Group Information - /etc/passwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_usergroup_modification_passwd:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83714-6 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.5 | | os-srg | SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275 | | anssi | R73 | | ccn | A.3.SEC-RHEL7 | | cis | 6.3.3.8 | | pcidss4 | 10.2.1.5, 10.2.1, 10.2 | | stigid | RHEL-09-654240 | | stigref | SV-258222r1015133_rule |
|
| Description |
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
|
| Rationale | In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules passwd
oval:ssg-test_audit_rules_usergroup_modification_passwd_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_passwd_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl passwd
oval:ssg-test_audit_rules_usergroup_modification_passwd_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_passwd_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information - /etc/shadowxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow mediumCCE-83725-2
Record Events that Modify User/Group Information - /etc/shadow
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_usergroup_modification_shadow:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83725-2 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.1.7 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3 | | nist | AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | pcidss | Req-10.2.5 | | os-srg | SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221 | | app-srg-ctr | SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275 | | anssi | R73 | | ccn | A.3.SEC-RHEL7 | | cis | 6.3.3.8 | | pcidss4 | 10.2.1.5, 10.2.1, 10.2 | | stigid | RHEL-09-654245 | | stigref | SV-258223r1015134_rule |
|
| Description |
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following lines to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules:
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
|
| Rationale | In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules shadow
oval:ssg-test_audit_rules_usergroup_modification_shadow_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_shadow_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl shadow
oval:ssg-test_audit_rules_usergroup_modification_shadow_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_shadow_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^\-w[\s]+\/etc\/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ | /etc/audit/audit.rules | 1 |
System Audit Directories Must Be Group Owned By Rootxccdf_org.ssgproject.content_rule_directory_group_ownership_var_log_audit mediumCCE-90516-6
System Audit Directories Must Be Group Owned By Root
| Rule ID | xccdf_org.ssgproject.content_rule_directory_group_ownership_var_log_audit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-directory_group_ownership_var_log_audit:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-90516-6 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8 | | cjis | 5.4.1.1 | | cobit5 | APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01 | | cui | 3.3.1 | | isa-62443-2009 | 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-6(a), AC-6(1), AU-9(4) | | nist-csf | DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.1 | | os-srg | SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084 | | stigid | RHEL-09-653080 | | stigref | SV-258165r958434_rule |
|
| Description | All audit directories must be group owned by root user. By default, the path for audit log is /var/log/audit/ .
To properly set the group owner of /var/log/audit, run the command:
$ sudo chgrp root /var/log/audit
If log_group in /etc/audit/auditd.conf is set to a group other than the root
group account, change the group ownership of the audit directories to this specific group. |
| Rationale | Unauthorized disclosure of audit records can reveal system and configuration data to
attackers, thus compromising its confidentiality. |
OVAL test results detailslog_file not set
oval:ssg-test_auditd_conf_log_file_not_set:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/audit/auditd.conf | log_file = /var/log/audit/audit.log |
/var/log/audit directories uid root gid root
oval:ssg-test_group_ownership_var_log_audit_directories:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_group_ownership_var_log_audit_directories:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter |
|---|
| /var/log/audit/audit.log | | /var/log/audit |
| no value | no value | oval:ssg-state_group_owner_not_root_var_log_audit_directories:ste:1 |
log_file not set
oval:ssg-test_auditd_conf_log_file_not_set:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/audit/auditd.conf | log_file = /var/log/audit/audit.log |
/var/log/audit directories uid root gid root
oval:ssg-test_group_ownership_default_var_log_audit_directories:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_group_ownership_default_var_log_audit_directories:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter |
|---|
| no value | /var/log/audit | no value | oval:ssg-state_group_owner_not_root_var_log_audit_directories:ste:1 |
log_group = root
oval:ssg-test_auditd_conf_log_group_not_root:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/audit/auditd.conf | log_group = root |
log_group is set
oval:ssg-test_auditd_conf_log_group_is_set:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/audit/auditd.conf | log_group = root |
/var/log/audit directories uid root gid root
oval:ssg-test_group_ownership_var_log_audit_directories-non_root:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_group_ownership_var_log_audit_directories-non_root:obj:1 of type
file_object
| Behaviors | Path | Filename | Filter |
|---|
| no value | /var/log/audit | no value | oval:ssg-state_group_owner_not_root_var_log_audit_directories-non_root:ste:1 |
System Audit Directories Must Be Owned By Rootxccdf_org.ssgproject.content_rule_directory_ownership_var_log_audit mediumCCE-85869-6
System Audit Directories Must Be Owned By Root
| Rule ID | xccdf_org.ssgproject.content_rule_directory_ownership_var_log_audit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-directory_ownership_var_log_audit:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-85869-6 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8 | | cjis | 5.4.1.1 | | cobit5 | APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01 | | cui | 3.3.1 | | isa-62443-2009 | 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nist | CM-6(a), AC-6(1), AU-9(4) | | nist-csf | DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5.1 | | os-srg | SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084 | | stigid | RHEL-09-653085 | | stigref | SV-258166r1045303_rule |
|
| Description | All audit directories must be owned by root user. By default, the path for audit log is /var/log/audit/ .
To properly set the owner of /var/log/audit, run the command:
$ sudo chown root /var/log/audit
|
| Rationale | Unauthorized disclosure of audit records can reveal system and configuration data to
attackers, thus compromising its confidentiality. |
OVAL test results detailslog_file not set
oval:ssg-test_auditd_conf_log_file_not_set:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/audit/auditd.conf | log_file = /var/log/audit/audit.log |
log_file's directory uid root gid root
oval:ssg-test_user_ownership_var_log_audit_path:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_user_ownership_var_log_audit_path:obj:1 of type
file_object
| Path | Filename | Filter |
|---|
| /var/log/audit | | /var/log/audit/audit.log |
| no value | oval:ssg-state_owner_not_root_var_log_audit_directories:ste:1 |
log_file not set
oval:ssg-test_auditd_conf_log_file_not_set:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/audit/auditd.conf | log_file = /var/log/audit/audit.log |
/var/log/audit directories uid root gid root
oval:ssg-test_user_ownership_var_log_audit_directories:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_user_ownership_var_log_audit_directories:obj:1 of type
file_object
| Path | Filename | Filter |
|---|
| /var/log/audit | no value | oval:ssg-state_owner_not_root_var_log_audit_directories:ste:1 |
Audit Configuration Files Must Be Owned By Group rootxccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration mediumCCE-86446-2
Audit Configuration Files Must Be Owned By Group root
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupownership_audit_configuration:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-86446-2 |
| References: | |
| Description | All audit configuration files must be owned by group root.
chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*
|
| Rationale | Without the capability to restrict which roles and individuals can
select which events are audited, unauthorized personnel may be able
to prevent the auditing of critical events.
Misconfigured audits may degrade the system's performance by
overwhelming the audit log. Misconfigured audits may also make it more
difficult to establish, correlate, and investigate the events relating
to an incident or identify those responsible for one. |
OVAL test results detailsTesting group ownership of /etc/audit/
oval:ssg-test_file_groupownership_audit_configuration_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownership_audit_configuration_0:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| /etc/audit | ^.*audit(\.rules|d\.conf)$ | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupownership_audit_configuration_0_0:ste:1 |
Testing group ownership of /etc/audit/rules.d/
oval:ssg-test_file_groupownership_audit_configuration_1:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownership_audit_configuration_1:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| /etc/audit/rules.d | ^.*\.rules$ | oval:ssg-symlink_file_groupowner:ste:1 | oval:ssg-state_file_groupownership_audit_configuration_0_0:ste:1 |
Audit Configuration Files Must Be Owned By Rootxccdf_org.ssgproject.content_rule_file_ownership_audit_configuration mediumCCE-86445-4
Audit Configuration Files Must Be Owned By Root
| Rule ID | xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_ownership_audit_configuration:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-86445-4 |
| References: | |
| Description | All audit configuration files must be owned by root user.
To properly set the owner of /etc/audit/, run the command:
$ sudo chown root /etc/audit/
To properly set the owner of /etc/audit/rules.d/, run the command:
$ sudo chown root /etc/audit/rules.d/
|
| Rationale | Without the capability to restrict which roles and individuals can
select which events are audited, unauthorized personnel may be able
to prevent the auditing of critical events.
Misconfigured audits may degrade the system's performance by
overwhelming the audit log. Misconfigured audits may also make it more
difficult to establish, correlate, and investigate the events relating
to an incident or identify those responsible for one. |
OVAL test results detailsTesting user ownership of /etc/audit/
oval:ssg-test_file_ownership_audit_configuration_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_audit_configuration_0:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| /etc/audit | ^.*audit(\.rules|d\.conf)$ | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_ownership_audit_configuration_0_0:ste:1 |
Testing user ownership of /etc/audit/rules.d/
oval:ssg-test_file_ownership_audit_configuration_1:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_audit_configuration_1:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| /etc/audit/rules.d | ^.*\.rules$ | oval:ssg-symlink_file_owner:ste:1 | oval:ssg-state_file_ownership_audit_configuration_0_0:ste:1 |
Audit Configuration Files Permissions are 640 or More Restrictivexccdf_org.ssgproject.content_rule_file_permissions_audit_configuration mediumCCE-88002-1
Audit Configuration Files Permissions are 640 or More Restrictive
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_audit_configuration |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_audit_configuration:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-88002-1 |
| References: | |
| Description | All audit configuration files permissions must be 640 or more restrictive.
chmod 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*
|
| Rationale | Without the capability to restrict which roles and individuals can
select which events are audited, unauthorized personnel may be able
to prevent the auditing of critical events.
Misconfigured audits may degrade the system's performance by
overwhelming the audit log. Misconfigured audits may also make it more
difficult to establish, correlate, and investigate the events relating
to an incident or identify those responsible for one. |
OVAL test results detailsTesting mode of /etc/audit/
oval:ssg-test_file_permissions_audit_configuration_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_audit_configuration_0:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| /etc/audit | ^.*audit(\.rules|d\.conf)$ | oval:ssg-exclude_symlinks__audit_configuration:ste:1 | oval:ssg-state_file_permissions_audit_configuration_0_mode_0640or_stricter_:ste:1 |
Testing mode of /etc/audit/rules.d/
oval:ssg-test_file_permissions_audit_configuration_1:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_audit_configuration_1:obj:1 of type
file_object
| Path | Filename | Filter | Filter |
|---|
| /etc/audit/rules.d | ^.*\.rules$ | oval:ssg-exclude_symlinks__audit_configuration:ste:1 | oval:ssg-state_file_permissions_audit_configuration_1_mode_0640or_stricter_:ste:1 |
System Audit Logs Must Have Mode 0640 or Less Permissivexccdf_org.ssgproject.content_rule_file_permissions_var_log_audit mediumCCE-83720-3
System Audit Logs Must Have Mode 0640 or Less Permissive
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_var_log_audit:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83720-3 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8 | | cjis | 5.4.1.1 | | cobit5 | APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01 | | cui | 3.3.1 | | isa-62443-2009 | 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1 | | iso27001-2013 | A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | | nerc-cip | CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2 | | nist | CM-6(a), AC-6(1), AU-9(4) | | nist-csf | DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4 | | pcidss | Req-10.5 | | os-srg | SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084 | | app-srg-ctr | SRG-APP-000118-CTR-000240 | | ccn | A.3.SEC-RHEL2 | | cis | 6.3.4.2 | | pcidss4 | 10.3.1, 10.3 | | stigid | RHEL-09-653090 | | stigref | SV-258167r1045306_rule |
|
| Description |
Determine where the audit logs are stored with the following command:
$ sudo grep -iw log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
Configure the audit log to be protected from unauthorized read access by setting the correct
permissive mode with the following command:
$ sudo chmod 0600 audit_log_file
By default, audit_log_file is "/var/log/audit/audit.log". |
| Rationale | If users can write to audit logs, audit trails can be modified or destroyed. |
OVAL test results detailslog_file not set
oval:ssg-test_auditd_conf_log_file_not_set:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/audit/auditd.conf | log_file = /var/log/audit/audit.log |
audit log files mode 0600
oval:ssg-test_file_permissions_audit_log:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_log_files:obj:1 of type
file_object
| Filepath | Filter |
|---|
| /var/log/audit/audit.log | oval:ssg-state_not_mode_0600:ste:1 |
log_file not set
oval:ssg-test_auditd_conf_log_file_not_set:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/audit/auditd.conf | log_file = /var/log/audit/audit.log |
default audit log files mode 0600
oval:ssg-test_file_permissions_default_audit_log:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_default_log_files:obj:1 of type
file_object
| Filepath | Filter |
|---|
| /var/log/audit/audit.log | oval:ssg-state_not_mode_0600:ste:1 |
Configure a Sufficiently Large Partition for Audit Logsxccdf_org.ssgproject.content_rule_auditd_audispd_configure_sufficiently_large_partition mediumCCE-88173-0
Configure a Sufficiently Large Partition for Audit Logs
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_audispd_configure_sufficiently_large_partition |
| Result | |
| Multi-check rule | no |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-88173-0 |
| References: | | os-srg | SRG-OS-000341-GPOS-00132, SRG-OS-000342-GPOS-00133 | | stigid | RHEL-09-653030 | | stigref | SV-258155r1045300_rule |
|
| Description | The Red Hat Enterprise Linux 9 operating system must allocate audit record storage
capacity to store at least one weeks worth of audit records when audit
records are not immediately sent to a central audit record storage
facility.
The partition size needed to capture a week's worth of audit records is
based on the activity level of the system and the total storage capacity
available.
In normal circumstances, 10.0 GB of storage space for audit
records will be sufficient.
Determine which partition the audit records are being written to with the
following command:
$ sudo grep log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
Check the size of the partition that audit records are written to with the
following command:
$ sudo df -h /var/log/audit/
/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit
|
| Rationale | Information stored in one location is vulnerable to accidental or incidental
deletion or alteration. Off-loading is a common process in information
systems with limited audit storage capacity. |
Evaluation messagesinfo
No candidate or applicable check found. |
Configure auditd Disk Error Action on Disk Errorxccdf_org.ssgproject.content_rule_auditd_data_disk_error_action_stig mediumCCE-88303-3
Configure auditd Disk Error Action on Disk Error
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action_stig |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_data_disk_error_action_stig:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-88303-3 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8 | | cobit5 | APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01 | | isa-62443-2009 | 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2 | | iso27001-2013 | A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1 | | nist | AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4 | | os-srg | SRG-OS-000047-GPOS-00023 | | stigid | RHEL-09-653020 | | stigref | SV-258153r1038966_rule |
|
| Description | The auditd service can be configured to take an action
when there is a disk error.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting ACTION appropriately:
disk_error_action = ACTION
Set this value to single to cause the system to switch to single-user
mode for corrective action. Acceptable values also include syslog,
exec, single, and halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page. |
| Rationale | Taking appropriate action in case of disk errors will minimize the possibility of
losing audit records. |
|
|
|
OVAL test results detailsdisk full action
oval:ssg-test_auditd_data_disk_error_action_stig_syslog:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/audit/auditd.conf | disk_error_action = SUSPEND |
disk full action
oval:ssg-test_auditd_data_disk_error_action_stig_single:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/audit/auditd.conf | disk_error_action = SUSPEND |
disk full action
oval:ssg-test_auditd_data_disk_error_action_stig_halt:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/audit/auditd.conf | disk_error_action = SUSPEND |
Configure auditd Disk Full Action when Disk Space Is Fullxccdf_org.ssgproject.content_rule_auditd_data_disk_full_action_stig mediumCCE-88336-3
Configure auditd Disk Full Action when Disk Space Is Full
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action_stig |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_data_disk_full_action_stig:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-88336-3 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8 | | cobit5 | APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01 | | isa-62443-2009 | 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2 | | iso27001-2013 | A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1 | | nist | AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4 | | os-srg | SRG-OS-000047-GPOS-00023 | | stigid | RHEL-09-653025 | | stigref | SV-258154r1038966_rule |
|
| Description | The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting ACTION appropriately:
disk_full_action = ACTION
Set this value to single to cause the system to switch to single-user
mode for corrective action. Acceptable values also include syslog,
single, and halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page. |
| Rationale | Taking appropriate action in case of a filled audit storage volume will minimize
the possibility of losing audit records. |
|
|
|
OVAL test results detailsdisk full action
oval:ssg-test_auditd_data_disk_full_action_stig_syslog:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/audit/auditd.conf | disk_full_action = SUSPEND |
disk full action
oval:ssg-test_auditd_data_disk_full_action_stig_single:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/audit/auditd.conf | disk_full_action = SUSPEND |
disk full action
oval:ssg-test_auditd_data_disk_full_action_stig_halt:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/audit/auditd.conf | disk_full_action = SUSPEND |
Configure auditd mail_acct Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct mediumCCE-83698-1
Configure auditd mail_acct Action on Low Disk Space
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_data_retention_action_mail_acct:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83698-1 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8 | | cjis | 5.4.1.1 | | cobit5 | APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01 | | cui | 3.3.1 | | hipaa | 164.312(a)(2)(ii) | | isa-62443-2009 | 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2 | | iso27001-2013 | A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1 | | nerc-cip | CIP-003-8 R1.3, CIP-003-8 R3, CIP-003-8 R3.1, CIP-003-8 R3.2, CIP-003-8 R3.3, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3 | | nist | IA-5(1), AU-5(a), AU-5(2), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4 | | pcidss | Req-10.7.a | | os-srg | SRG-OS-000046-GPOS-00022, SRG-OS-000343-GPOS-00134 | | cis | 6.3.2.4 | | stigid | RHEL-09-653070 | | stigref | SV-258163r958424_rule |
|
| Description | The auditd service can be configured to send email to
a designated account in certain situations. Add or correct the following line
in /etc/audit/auditd.conf to ensure that administrators are notified
via email for those situations:
action_mail_acct = root
|
| Rationale | Email sent to the root account is typically aliased to the
administrators of the system, who can take appropriate action. |
OVAL test results detailsemail account for actions
oval:ssg-test_auditd_data_retention_action_mail_acct:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/audit/auditd.conf | action_mail_acct = root |
Configure auditd admin_space_left Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action mediumCCE-83700-5
Configure auditd admin_space_left Action on Low Disk Space
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_data_retention_admin_space_left_action:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-83700-5 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8 | | cjis | 5.4.1.1 | | cobit5 | APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01 | | cui | 3.3.1 | | hipaa | 164.312(a)(2)(ii) | | isa-62443-2009 | 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2 | | iso27001-2013 | A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1 | | nist | AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4 | | pcidss | Req-10.7 | | os-srg | SRG-OS-000343-GPOS-00134 | | cis | 6.3.2.4 | | pcidss4 | 10.5.1, 10.5 | | stigid | RHEL-09-653050 | | stigref | SV-258159r971542_rule |
|
| Description | The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting ACTION appropriately:
admin_space_left_action = ACTION
Set this value to single to cause the system to switch to single user
mode for corrective action. Acceptable values also include suspend and
halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page. |
| Rationale | Administrators should be made aware of an inability to record
audit records. If a separate partition or logical volume of adequate size
is used, running low on space for audit records should never occur. |
|
|
|
OVAL test results detailsspace left action
oval:ssg-test_auditd_data_retention_admin_space_left_action:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/audit/auditd.conf | admin_space_left_action = SUSPEND |
Configure auditd admin_space_left on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_percentage mediumCCE-88816-4
Configure auditd admin_space_left on Low Disk Space
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_percentage |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_data_retention_admin_space_left_percentage:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-88816-4 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8 | | cobit5 | APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01 | | isa-62443-2009 | 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2 | | iso27001-2013 | A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1 | | nist | AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4 | | pcidss | Req-10.7 | | os-srg | SRG-OS-000343-GPOS-00134 | | stigid | RHEL-09-653045 | | stigref | SV-258158r971542_rule |
|
| Description | The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting PERCENTAGE appropriately:
admin_space_left = PERCENTAGE%
Set this value to 5
to cause the system to perform an action. |
| Rationale | Notifying administrators of an impending disk space problem may allow them to
take corrective action prior to any disruption. |
|
|
OVAL test results detailsadmin space left action
oval:ssg-test_auditd_data_retention_admin_space_left_percentage:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_auditd_data_retention_admin_space_left_percentage:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/auditd.conf | ^[\s]*admin_space_left[\s]+=[\s]+(\d+)%[\s]*$ | 1 |
Configure auditd max_log_file_action Upon Reaching Maximum Log Sizexccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action_stig mediumCCE-88396-7
Configure auditd max_log_file_action Upon Reaching Maximum Log Size
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action_stig |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_data_retention_max_log_file_action_stig:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-88396-7 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8 | | cobit5 | APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01 | | hipaa | 164.312(a)(2)(ii) | | isa-62443-2009 | 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2 | | iso27001-2013 | A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1 | | nist | AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4 | | pcidss | Req-10.7 | | os-srg | SRG-OS-000047-GPOS-00023 | | app-srg-ctr | SRG-APP-000098-CTR-000185, SRG-APP-000099-CTR-000190, SRG-APP-000100-CTR-000195, SRG-APP-000100-CTR-000200, SRG-APP-000109-CTR-000215, SRG-APP-000290-CTR-000670, SRG-APP-000357-CTR-000800 | | stigid | RHEL-09-653055 | | stigref | SV-258160r1038966_rule |
|
| Description | The default action to take when the logs reach their maximum size
is to rotate the log files, discarding the oldest one. To configure the action taken
by auditd, add or correct the line in /etc/audit/auditd.conf:
max_log_file_action = ACTION
Possible values for ACTION are described in the auditd.conf man
page. These include:
ignoresyslogsuspendrotatekeep_logs
Set the ACTION to rotate to ensure log rotation
occurs. This is the default. The setting is case-insensitive. |
| Rationale | Automatically rotating logs (by setting this to rotate)
minimizes the chances of the system unexpectedly running out of disk space by
being overwhelmed with log data. However, for systems that must never discard
log data, or which use external processes to transfer it and reclaim space,
keep_logs can be employed. |
OVAL test results detailsadmin space left action
oval:ssg-test_auditd_data_retention_max_log_file_action_stig_rotate:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/audit/auditd.conf | max_log_file_action = ROTATE |
admin space left action
oval:ssg-test_auditd_data_retention_max_log_file_action_stig_single:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/audit/auditd.conf | max_log_file_action = ROTATE |
Configure auditd space_left Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action mediumCCE-83703-9
Configure auditd space_left Action on Low Disk Space
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_data_retention_space_left_action:def:1 |
| Time | 2025-09-21T20:27:21-05:00 |
| Severity | medium |
| Identifiers: | CCE-83703-9 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8 | | cjis | 5.4.1.1 | | cobit5 | APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01 | | cui | 3.3.1 | | hipaa | 164.312(a)(2)(ii) | | isa-62443-2009 | 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2 | | iso27001-2013 | A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1 | | nist | AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4 | | pcidss | Req-10.7 | | os-srg | SRG-OS-000343-GPOS-00134 | | cis | 6.3.2.4 | | pcidss4 | 10.5.1, 10.5 | | stigid | RHEL-09-653040 | | stigref | SV-258157r971542_rule |
|
| Description | The auditd service can be configured to take an action
when disk space starts to run low.
Edit the file /etc/audit/auditd.conf. Modify the following line,
substituting ACTION appropriately:
space_left_action = ACTION
Possible values for ACTION are described in the auditd.conf man page.
These include:
syslogemailexecsuspendsinglehalt
Set this to email (instead of the default,
which is suspend) as it is more likely to get prompt attention. Acceptable values
also include suspend, single, and halt. |
| Rationale | Notifying administrators of an impending disk space problem may
allow them to take corrective action prior to any disruption. |
|
|
|
OVAL test results detailsspace left action
oval:ssg-test_auditd_data_retention_space_left_action:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/audit/auditd.conf | space_left_action = SYSLOG |
Configure auditd space_left on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_percentage mediumCCE-87746-4
Configure auditd space_left on Low Disk Space
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_percentage |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_data_retention_space_left_percentage:def:1 |
| Time | 2025-09-21T20:27:21-05:00 |
| Severity | medium |
| Identifiers: | CCE-87746-4 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8 | | cobit5 | APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01 | | isa-62443-2009 | 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2 | | iso27001-2013 | A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1 | | nist | AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a) | | nist-csf | DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4 | | pcidss | Req-10.7 | | os-srg | SRG-OS-000343-GPOS-00134 | | stigid | RHEL-09-653035 | | stigref | SV-258156r971542_rule |
|
| Description | The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting PERCENTAGE appropriately:
space_left = PERCENTAGE%
Set this value to at least 25 to cause the system to
notify the user of an issue. |
| Rationale | Notifying administrators of an impending disk space problem may allow them to
take corrective action prior to any disruption. |
|
|
OVAL test results detailsadmin space left action
oval:ssg-test_auditd_data_retention_space_left_percentage:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_auditd_data_retention_space_left_percentage:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/auditd.conf | ^[\s]*space_left[\s]+=[\s]+(\d+)%[\s]*$ | 1 |
Set number of records to cause an explicit flush to audit logsxccdf_org.ssgproject.content_rule_auditd_freq mediumCCE-83704-7
Set number of records to cause an explicit flush to audit logs
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_freq |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_freq:def:1 |
| Time | 2025-09-21T20:27:21-05:00 |
| Severity | medium |
| Identifiers: | CCE-83704-7 |
| References: | |
| Description | To configure Audit daemon to issue an explicit flush to disk command
after writing 100 records, set freq to 100
in /etc/audit/auditd.conf. |
| Rationale | If option freq isn't set to 100, the flush to disk
may happen after higher number of records, increasing the danger
of audit loss. |
OVAL test results detailstests the value of freq setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_freq:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/audit/auditd.conf | freq = 50 |
Include Local Events in Audit Logsxccdf_org.ssgproject.content_rule_auditd_local_events mediumCCE-83682-5
Include Local Events in Audit Logs
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_local_events |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_local_events:def:1 |
| Time | 2025-09-21T20:27:21-05:00 |
| Severity | medium |
| Identifiers: | CCE-83682-5 |
| References: | |
| Description | To configure Audit daemon to include local events in Audit logs, set
local_events to yes in /etc/audit/auditd.conf.
This is the default setting. |
| Rationale | If option local_events isn't set to yes only events from
network will be aggregated. |
OVAL test results detailstests the value of local_events setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_local_events:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/audit/auditd.conf | local_events = yes |
Resolve information before writing to audit logsxccdf_org.ssgproject.content_rule_auditd_log_format lowCCE-83696-5
Resolve information before writing to audit logs
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_log_format |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_log_format:def:1 |
| Time | 2025-09-21T20:27:21-05:00 |
| Severity | low |
| Identifiers: | CCE-83696-5 |
| References: | | nist | CM-6, AU-3 | | ospp | FAU_GEN.1.2 | | os-srg | SRG-OS-000255-GPOS-00096, SRG-OS-000480-GPOS-00227 | | app-srg-ctr | SRG-APP-000096-CTR-000175, SRG-APP-000097-CTR-000180, SRG-APP-000098-CTR-000185, SRG-APP-000099-CTR-000190, SRG-APP-000100-CTR-000195, SRG-APP-000100-CTR-000200, SRG-APP-000109-CTR-000215, SRG-APP-000290-CTR-000670, SRG-APP-000357-CTR-000800 | | stigid | RHEL-09-653100 | | stigref | SV-258169r991556_rule |
|
| Description | To configure Audit daemon to resolve all uid, gid, syscall,
architecture, and socket address information before writing the
events to disk, set log_format to ENRICHED
in /etc/audit/auditd.conf. |
| Rationale | If option log_format isn't set to ENRICHED, the
audit records will be stored in a format exactly as the kernel sends them. |
OVAL test results detailstests the value of log_format setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_log_format:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/audit/auditd.conf | log_format = ENRICHED |
Set type of computer node name logging in audit logsxccdf_org.ssgproject.content_rule_auditd_name_format mediumCCE-83686-6
Set type of computer node name logging in audit logs
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_name_format |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_name_format:def:1 |
| Time | 2025-09-21T20:27:21-05:00 |
| Severity | medium |
| Identifiers: | CCE-83686-6 |
| References: | | nist | CM-6, AU-3 | | ospp | FAU_GEN.1.2 | | os-srg | SRG-OS-000039-GPOS-00017, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224 | | pcidss4 | 10.2.2, 10.2 | | stigid | RHEL-09-653060 | | stigref | SV-258161r958416_rule |
|
| Description | To configure Audit daemon to use a unique identifier
as computer node name in the audit events,
set name_format to hostname|fqd|numeric
in /etc/audit/auditd.conf. |
| Rationale | If option name_format is left at its default value of
none, audit events from different computers may be hard
to distinguish. |
| Warnings | warning
Whenever the variable var_auditd_name_format uses a multiple value option, for example
A|B|C , the first value will be used when remediating this rule. |
|
|
|
OVAL test results detailstests the value of name_format setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_name_format:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/audit/auditd.conf | name_format = NONE |
Appropriate Action Must be Setup When the Internal Audit Event Queue is Fullxccdf_org.ssgproject.content_rule_auditd_overflow_action mediumCCE-87901-5
Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_overflow_action |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_overflow_action:def:1 |
| Time | 2025-09-21T20:27:21-05:00 |
| Severity | medium |
| Identifiers: | CCE-87901-5 |
| References: | | nist | AU-4(1) | | os-srg | SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224 | | stigid | RHEL-09-653065 | | stigref | SV-258162r958754_rule |
|
| Description | The audit system should have an action setup in the event the internal event queue becomes full.
To setup an overflow action edit /etc/audit/auditd.conf. Set overflow_action
to one of the following values: syslog, single, halt. |
| Rationale | The audit system should have an action setup in the event the internal event queue becomes full
so that no data is lost. |
OVAL test results detailstests the value of overflow_action setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_overflow_action:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/audit/auditd.conf | overflow_action = SYSLOG |
Write Audit Logs to the Diskxccdf_org.ssgproject.content_rule_auditd_write_logs mediumCCE-83705-4
Write Audit Logs to the Disk
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_write_logs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_write_logs:def:1 |
| Time | 2025-09-21T20:27:21-05:00 |
| Severity | medium |
| Identifiers: | CCE-83705-4 |
| References: | |
| Description | To configure Audit daemon to write Audit logs to the disk, set
write_logs to yes in /etc/audit/auditd.conf.
This is the default setting. |
| Rationale | If write_logs isn't set to yes, the Audit logs will
not be written to the disk. |
OVAL test results detailstests the value of write_logs setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_write_logs:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/audit/auditd.conf | write_logs = yes |
tests the absence of write_logs setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_write_logs_default_not_overriden:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| not evaluated | /etc/audit/auditd.conf | write_logs = |
Verify Permissions on /etc/audit/auditd.confxccdf_org.ssgproject.content_rule_file_permissions_etc_audit_auditd mediumCCE-89284-4
Verify Permissions on /etc/audit/auditd.conf
| Rule ID | xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_auditd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_permissions_etc_audit_auditd:def:1 |
| Time | 2025-09-21T20:27:21-05:00 |
| Severity | medium |
| Identifiers: | CCE-89284-4 |
| References: | |
| Description |
To properly set the permissions of /etc/audit/auditd.conf, run the command:
$ sudo chmod 0640 /etc/audit/auditd.conf
|
| Rationale | Without the capability to restrict the roles and individuals that can select which events
are audited, unauthorized personnel may be able to prevent the auditing of critical
events. Misconfigured audits may degrade the system's performance by overwhelming
the audit log. Misconfigured audits may also make it more difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one. |
OVAL test results detailsTesting mode of /etc/audit/auditd.conf
oval:ssg-test_file_permissions_etc_audit_auditd_0:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_etc_audit_auditd_0:obj:1 of type
file_object
| Filepath | Filter | Filter |
|---|
| /etc/audit/auditd.conf | oval:ssg-exclude_symlinks__etc_audit_auditd:ste:1 | oval:ssg-state_file_permissions_etc_audit_auditd_0_mode_0640or_stricter_:ste:1 |
Install audispd-plugins Packagexccdf_org.ssgproject.content_rule_package_audispd-plugins_installed mediumCCE-83648-6
Install audispd-plugins Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_audispd-plugins_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_audispd-plugins_installed:def:1 |
| Time | 2025-09-21T20:27:18-05:00 |
| Severity | medium |
| Identifiers: | CCE-83648-6 |
| References: | |
| Description | The audispd-plugins package can be installed with the following command:
$ sudo dnf install audispd-plugins
|
| Rationale | audispd-plugins provides plugins for the real-time interface to the
audit subsystem, audispd. These plugins can do things like relay events
to remote machines or analyze events for suspicious behavior.
|
|
|
|
|
|
|
|
OVAL test results detailspackage audispd-plugins is installed
oval:ssg-test_package_audispd-plugins_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_audispd-plugins_installed:obj:1 of type
rpminfo_object
Ensure the audit Subsystem is Installedxccdf_org.ssgproject.content_rule_package_audit_installed mediumCCE-83649-4
Ensure the audit Subsystem is Installed
| Rule ID | xccdf_org.ssgproject.content_rule_package_audit_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_audit_installed:def:1 |
| Time | 2025-09-21T20:27:18-05:00 |
| Severity | medium |
| Identifiers: | CCE-83649-4 |
| References: | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b) | | nerc-cip | CIP-004-6 R3.3, CIP-007-3 R6.5 | | nist | AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a) | | ospp | FAU_GEN.1 | | pcidss | Req-10.1 | | os-srg | SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | anssi | R33, R73 | | cis | 6.3.1.1 | | pcidss4 | 10.2.1, 10.2 | | stigid | RHEL-09-653010 | | stigref | SV-258151r1045298_rule |
|
| Description | The audit package should be installed. |
| Rationale | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. |
OVAL test results detailspackage audit is installed
oval:ssg-test_package_audit_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | audit | x86_64 | (none) | 4.el9 | 3.1.5 | 0:3.1.5-4.el9 | 199e2f91fd431d51 | audit-0:3.1.5-4.el9.x86_64 |
Enable auditd Servicexccdf_org.ssgproject.content_rule_service_auditd_enabled mediumCCE-90829-3
Enable auditd Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_auditd_enabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_auditd_enabled:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | medium |
| Identifiers: | CCE-90829-3 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.3.1, 3.3.2, 3.3.6 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nerc-cip | CIP-004-6 R3.3, CIP-007-3 R6.5 | | nist | AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23) | | nist-csf | DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | ospp | FAU_GEN.1 | | pcidss | Req-10.1 | | os-srg | SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | app-srg-ctr | SRG-APP-000095-CTR-000170, SRG-APP-000409-CTR-000990, SRG-APP-000508-CTR-001300, SRG-APP-000510-CTR-001310 | | anssi | R33, R73 | | cis | 6.3.1.4 | | pcidss4 | 10.2.1, 10.2 | | stigid | RHEL-09-653015 | | stigref | SV-258152r1015127_rule |
|
| Description | The auditd service is an essential userspace component of
the Linux Auditing System, as it is responsible for writing audit records to
disk.
The auditd service can be enabled with the following command:
$ sudo systemctl enable auditd.service
|
| Rationale | Without establishing what type of events occurred, it would be difficult
to establish, correlate, and investigate the events leading up to an outage or attack.
Ensuring the auditd service is active ensures audit records
generated by the kernel are appropriately recorded.
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. |
OVAL test results detailspackage audit is installed
oval:ssg-test_service_auditd_package_audit_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | audit | x86_64 | (none) | 4.el9 | 3.1.5 | 0:3.1.5-4.el9 | 199e2f91fd431d51 | audit-0:3.1.5-4.el9.x86_64 |
Test that the auditd service is running
oval:ssg-test_service_running_auditd:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Unit | Property | Value |
|---|
| true | auditd.service | ActiveState | active |
systemd test
oval:ssg-test_multi_user_wants_auditd:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| true | multi-user.target | basic.target | -.mount | sysinit.target | iscsi-starter.service | systemd-network-generator.service | ldconfig.service | proc-sys-fs-binfmt_misc.automount | dracut-shutdown.service | sys-kernel-tracing.mount | sys-kernel-debug.mount | veritysetup.target | dev-hugepages.mount | systemd-pcrphase-sysinit.service | systemd-boot-update.service | lvm2-monitor.service | integritysetup.target | plymouth-read-write.service | systemd-firstboot.service | multipathd.service | systemd-pcrphase.service | sys-fs-fuse-connections.mount | systemd-journal-catalog-update.service | systemd-binfmt.service | systemd-pstore.service | sys-kernel-config.mount | systemd-machine-id-commit.service | local-fs.target | boot-efi.mount | boot.mount | opt-share.mount | ostree-remount.service | systemd-remount-fs.service | systemd-hwdb-update.service | systemd-update-utmp.service | kmod-static-nodes.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | plymouth-start.service | systemd-journald.service | systemd-random-seed.service | swap.target | dev-mapper-rhel_desktop\x2d\x2drncu7uo\x2dswap.swap | selinux-autorelabel-mark.service | systemd-udevd.service | iscsi-onboot.service | systemd-pcrmachine.service | nis-domainname.service | systemd-sysctl.service | lvm2-lvmpolld.socket | systemd-ask-password-console.path | systemd-sysusers.service | systemd-modules-load.service | systemd-update-done.service | systemd-repart.service | systemd-udev-trigger.service | dev-mqueue.mount | cryptsetup.target | systemd-journal-flush.service | systemd-boot-random-seed.service | slices.target | -.slice | system.slice | low-memory-monitor.service | timers.target | logrotate.timer | systemd-tmpfiles-clean.timer | unbound-anchor.timer | mlocate-updatedb.timer | dnf-makecache.timer | paths.target | microcode.service | sockets.target | dm-event.socket | iscsid.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | systemd-udevd-kernel.socket | systemd-coredump.socket | systemd-journald.socket | systemd-initctl.socket | multipathd.socket | iscsiuio.socket | cups.socket | systemd-journald-dev-log.socket | avahi-daemon.socket | NetworkManager.service | insights-client-boot.service | tuned.service | mcelog.service | systemd-ask-password-wall.path | ModemManager.service | rsyslog.service | ostree-readonly-sysroot-migration.service | firewalld.service | systemd-user-sessions.service | sshd.service | vmtoolsd.service | systemd-logind.service | run-vmblock\x2dfuse.mount | sssd.service | atd.service | nessusd.service | libstoragemgmt.service | irqbalance.service | getty.target | getty@tty1.service | plymouth-quit.service | cups.path | kdump.service | rhsmcertd.service | crond.service | chronyd.service | mdmonitor.service | auditd.service | smartd.service | cups.service | avahi-daemon.service | remote-fs.target | systemd-update-utmp-runlevel.service | plymouth-quit-wait.service |
systemd test
oval:ssg-test_multi_user_wants_auditd_socket:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| false | multi-user.target | basic.target | -.mount | sysinit.target | iscsi-starter.service | systemd-network-generator.service | ldconfig.service | proc-sys-fs-binfmt_misc.automount | dracut-shutdown.service | sys-kernel-tracing.mount | sys-kernel-debug.mount | veritysetup.target | dev-hugepages.mount | systemd-pcrphase-sysinit.service | systemd-boot-update.service | lvm2-monitor.service | integritysetup.target | plymouth-read-write.service | systemd-firstboot.service | multipathd.service | systemd-pcrphase.service | sys-fs-fuse-connections.mount | systemd-journal-catalog-update.service | systemd-binfmt.service | systemd-pstore.service | sys-kernel-config.mount | systemd-machine-id-commit.service | local-fs.target | boot-efi.mount | boot.mount | opt-share.mount | ostree-remount.service | systemd-remount-fs.service | systemd-hwdb-update.service | systemd-update-utmp.service | kmod-static-nodes.service | systemd-tmpfiles-setup-dev.service | systemd-tmpfiles-setup.service | plymouth-start.service | systemd-journald.service | systemd-random-seed.service | swap.target | dev-mapper-rhel_desktop\x2d\x2drncu7uo\x2dswap.swap | selinux-autorelabel-mark.service | systemd-udevd.service | iscsi-onboot.service | systemd-pcrmachine.service | nis-domainname.service | systemd-sysctl.service | lvm2-lvmpolld.socket | systemd-ask-password-console.path | systemd-sysusers.service | systemd-modules-load.service | systemd-update-done.service | systemd-repart.service | systemd-udev-trigger.service | dev-mqueue.mount | cryptsetup.target | systemd-journal-flush.service | systemd-boot-random-seed.service | slices.target | -.slice | system.slice | low-memory-monitor.service | timers.target | logrotate.timer | systemd-tmpfiles-clean.timer | unbound-anchor.timer | mlocate-updatedb.timer | dnf-makecache.timer | paths.target | microcode.service | sockets.target | dm-event.socket | iscsid.socket | dbus.socket | systemd-udevd-control.socket | sssd-kcm.socket | systemd-udevd-kernel.socket | systemd-coredump.socket | systemd-journald.socket | systemd-initctl.socket | multipathd.socket | iscsiuio.socket | cups.socket | systemd-journald-dev-log.socket | avahi-daemon.socket | NetworkManager.service | insights-client-boot.service | tuned.service | mcelog.service | systemd-ask-password-wall.path | ModemManager.service | rsyslog.service | ostree-readonly-sysroot-migration.service | firewalld.service | systemd-user-sessions.service | sshd.service | vmtoolsd.service | systemd-logind.service | run-vmblock\x2dfuse.mount | sssd.service | atd.service | nessusd.service | libstoragemgmt.service | irqbalance.service | getty.target | getty@tty1.service | plymouth-quit.service | cups.path | kdump.service | rhsmcertd.service | crond.service | chronyd.service | mdmonitor.service | auditd.service | smartd.service | cups.service | avahi-daemon.service | remote-fs.target | systemd-update-utmp-runlevel.service | plymouth-quit-wait.service |
Enable Auditing for Processes Which Start Prior to the Audit Daemonxccdf_org.ssgproject.content_rule_grub2_audit_argument lowCCE-83651-0
Enable Auditing for Processes Which Start Prior to the Audit Daemon
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_audit_argument |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_audit_argument:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | low |
| Identifiers: | CCE-83651-0 |
| References: | | cis-csc | 1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8 | | cjis | 5.4.1.1 | | cobit5 | APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.02, DSS05.03, DSS05.04, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01 | | cui | 3.3.1 | | hipaa | 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b) | | isa-62443-2009 | 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4 | | isa-62443-2013 | SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 7.1, SR 7.6 | | iso27001-2013 | A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2 | | nist | AC-17(1), AU-14(1), AU-10, CM-6(a), IR-5(1) | | nist-csf | DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4 | | ospp | FAU_GEN.1 | | pcidss | Req-10.3 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000254-GPOS-00095 | | cis | 6.3.1.2 | | pcidss4 | 10.7.2, 10.7 | | stigid | RHEL-09-212055 | | stigref | SV-257796r1044847_rule |
|
| Description | To ensure all processes can be audited, even those which start
prior to the audit daemon, add the argument audit=1 to the default
GRUB 2 command line for the Linux operating system.
To ensure that audit=1 is added as a kernel command line
argument to newly installed kernels, add audit=1 to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... audit=1 ..."
Run the following command to update command line for already installed kernels: # grubby --update-kernel=ALL --args="audit=1"
If the system is distributed as a bootable container image, GRUB2 can't be configured using the method described above, but the following method needs to be used instead.
The kernel arguments should be set in /usr/lib/bootc/kargs.d in a TOML file that has the following form:
# /usr/lib/bootc/kargs.d/10-example.toml
kargs = ["audit=1"]
For more details on configuring kernel arguments in bootable container images, please refer to Bootc documentation. |
| Rationale | Each process on the system carries an "auditable" flag which indicates whether
its activities can be audited. Although auditd takes care of enabling
this for all processes which launch after it does, adding the kernel argument
ensures it is set for every process during boot. |
|
|
|
|
OVAL test results detailspackage kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
check kernel command line parameters for audit=1 for all boot entries.
oval:ssg-test_grub2_audit_entries:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /boot/loader/entries/563df4c43387434ca51a65ee039b44ee-5.14.0-570.44.1.el9_6.x86_64.conf | options root=/dev/mapper/rhel_desktop--rncu7uo-root ro crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=/dev/mapper/rhel_desktop--rncu7uo-swap rd.lvm.lv=rhel_desktop-rncu7uo/root rd.lvm.lv=rhel_desktop-rncu7uo/swap rhgb quiet |
check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX
oval:ssg-test_grub2_audit_argument:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/default/grub | GRUB_CMDLINE_LINUX="crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=/dev/mapper/rhel_desktop--rncu7uo-swap rd.lvm.lv=rhel_desktop-rncu7uo/root rd.lvm.lv=rhel_desktop-rncu7uo/swap rhgb quiet" |
check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT
oval:ssg-test_grub2_audit_argument_default:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_audit_argument_default:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/default/grub | ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ | 1 |
Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub
oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/default/grub | GRUB_DISABLE_RECOVERY="true" |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
check kernel command line parameters for audit=1 for all boot entries.
oval:ssg-test_grub2_audit_usr_lib_bootc_kargs_d:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_audit_usr_lib_bootc_kargs_d:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/bootc/kargs.d/ | ^.*\.toml$ | ^kargs = \[([^\]]+)\]$ | 1 |
Extend Audit Backlog Limit for the Audit Daemonxccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument lowCCE-83652-8
Extend Audit Backlog Limit for the Audit Daemon
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_audit_backlog_limit_argument:def:1 |
| Time | 2025-09-21T20:27:20-05:00 |
| Severity | low |
| Identifiers: | CCE-83652-8 |
| References: | | nist | CM-6(a) | | ospp | FAU_STG.1, FAU_STG.3 | | os-srg | SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000254-GPOS-00095, SRG-OS-000341-GPOS-00132, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215 | | cis | 6.3.1.3 | | pcidss4 | 10.7.2, 10.7 | | stigid | RHEL-09-653120 | | stigref | SV-258173r991555_rule |
|
| Description | To improve the kernel capacity to queue all log events, even those which occurred
prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default
GRUB 2 command line for the Linux operating system.
To ensure that audit_backlog_limit=8192 is added as a kernel command line
argument to newly installed kernels, add audit_backlog_limit=8192 to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
Run the following command to update command line for already installed kernels: # grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
If the system is distributed as a bootable container image, GRUB2 can't be configured using the method described above, but the following method needs to be used instead.
The kernel arguments should be set in /usr/lib/bootc/kargs.d in a TOML file that has the following form:
# /usr/lib/bootc/kargs.d/10-example.toml
kargs = ["audit_backlog_limit=8192"]
For more details on configuring kernel arguments in bootable container images, please refer to Bootc documentation. |
| Rationale | audit_backlog_limit sets the queue length for audit events awaiting transfer
to the audit daemon. Until the audit daemon is up and running, all log messages
are stored in this queue. If the queue is overrun during boot process, the action
defined by audit failure flag is taken. |
|
|
|
|
OVAL test results detailspackage kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
check kernel command line parameters for audit_backlog_limit=8192 for all boot entries.
oval:ssg-test_grub2_audit_backlog_limit_entries:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /boot/loader/entries/563df4c43387434ca51a65ee039b44ee-5.14.0-570.44.1.el9_6.x86_64.conf | options root=/dev/mapper/rhel_desktop--rncu7uo-root ro crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=/dev/mapper/rhel_desktop--rncu7uo-swap rd.lvm.lv=rhel_desktop-rncu7uo/root rd.lvm.lv=rhel_desktop-rncu7uo/swap rhgb quiet |
check for audit_backlog_limit=8192 in /etc/default/grub via GRUB_CMDLINE_LINUX
oval:ssg-test_grub2_audit_backlog_limit_argument:tst:1
false
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| false | /etc/default/grub | GRUB_CMDLINE_LINUX="crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=/dev/mapper/rhel_desktop--rncu7uo-swap rd.lvm.lv=rhel_desktop-rncu7uo/root rd.lvm.lv=rhel_desktop-rncu7uo/swap rhgb quiet" |
check for audit_backlog_limit=8192 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT
oval:ssg-test_grub2_audit_backlog_limit_argument_default:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_audit_backlog_limit_argument_default:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/default/grub | ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ | 1 |
Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub
oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Path | Content |
|---|
| true | /etc/default/grub | GRUB_DISABLE_RECOVERY="true" |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package kernel is installed
oval:ssg-bootc_platform_test_kernel_installed:tst:1
true
Following items have been found on the system:
| Result of item-state comparison | Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| not evaluated | kernel | x86_64 | (none) | 570.44.1.el9_6 | 5.14.0 | 0:5.14.0-570.44.1.el9_6 | 199e2f91fd431d51 | kernel-0:5.14.0-570.44.1.el9_6.x86_64 |
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package rpm-ostree is installed
oval:ssg-bootc_platform_test_rpm_ostree_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_rpm_ostree_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package bootc is installed
oval:ssg-bootc_platform_test_bootc_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_bootc_installed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
package openshift-kubelet is removed
oval:ssg-bootc_platform_test_openshift_kubelet_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_bootc_platform_test_openshift_kubelet_removed:obj:1 of type
rpminfo_object
check kernel command line parameters for audit_backlog_limit=8192 for all boot entries.
oval:ssg-test_grub2_audit_backlog_limit_usr_lib_bootc_kargs_d:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_audit_backlog_limit_usr_lib_bootc_kargs_d:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/bootc/kargs.d/ | ^.*\.toml$ | ^kargs = \[([^\]]+)\]$ | 1 |
Scroll back to the first rule